Skip to main content

Free5GC CVE-2026-30653

| EUVDEUVD-2026-14889 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-03-24 mitre GHSA-xwf4-w8f7-pwr9
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 24, 2026 - 15:15 euvd
EUVD-2026-14889
Analysis Generated
Mar 24, 2026 - 15:15 vuln.today
CVE Published
Mar 24, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

An issue in Free5GC v.4.2.0 and before allows a remote attacker to cause a denial of service via the function HandleAuthenticationFailure of the component AMF

AnalysisAI

Free5GC versions 4.2.0 and earlier are vulnerable to denial of service attacks through improper handling of authentication failures in the AMF component, allowing unauthenticated remote attackers to crash the service. The vulnerability requires no user interaction and can be exploited over the network, potentially disrupting 5G core network operations. No patch is currently available.

Technical ContextAI

Free5GC is an open-source 5G core network implementation written in Go. The Access and Mobility Management Function (AMF) is a critical component responsible for authentication, mobility management, and connection establishment for 5G User Equipment (UE). The HandleAuthenticationFailure function is specifically designed to process authentication failure notifications from the Home Subscriber Server (HSS) or other authentication providers. The vulnerability appears to be rooted in improper handling of authentication failure messages—likely a missing input validation, improper state management, or resource exhaustion issue (CWE category likely related to improper input validation or denial of service). The affected CPE indicates the vulnerability applies to the generic Free5GC project rather than a specific vendor distribution, making this a direct upstream issue affecting all deployments that have not patched beyond v4.2.0.

RemediationAI

Immediately upgrade Free5GC to a version after v4.2.0 (check the upstream repository at https://github.com/free5gc/free5gc for the latest stable release with the fix applied). Review the upstream issue at https://github.com/free5gc/free5gc/issues/826 for patch details and changelog. Until a patched version can be deployed, consider implementing network-level mitigations: restrict AMF access to trusted HSS/authentication servers only via firewall rules, implement rate limiting on authentication failure messages to prevent resource exhaustion, and monitor AMF CPU and memory usage for anomalies that may indicate ongoing exploitation. If the deployment is in a laboratory or non-critical environment, isolate the affected Free5GC instance from production networks pending the patch.

Share

CVE-2026-30653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy