Primary

Context

Free5GC Denial-of-Service Vulnerability in AMF Component

Vulnerability

A denial-of-service vulnerability has been identified in Free5GC version 4.1.0, specifically within the AMF component's 'HandleRegistrationComplete' function in the 'internal/gmm/handler.go' file. The issue arises when the AMF receives an out-of-sequence NAS message during the registration process, causing the AMF process to crash. This vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability leads to a crash of the AMF process, causing a denial-of-service condition where the service is unavailable or unresponsive.

Reproduction

To reproduce this vulnerability, send a UplinkNASTransport message that includes a Registration Complete NAS message, after the AMF has processed the Security Mode Complete step and entered the 'Waiting for Identity Response' state. This out-of-sequence message will cause the AMF to crash.

Remediation

Users are advised to update to Free5GC version 4.2.0, where this issue has been fixed.

Added: Mar 22, 2026, 2:18 AM

Updated: Mar 22, 2026, 2:18 AM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

3.1

exploitability

9.1

remediation

7.7

relevance

4.5

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

3.1

exploitability

9.1

remediation

7.7

relevance

4.5

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Free5GC Denial-of-Service Vulnerability in AMF Component

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Free5GC

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating