CVE-2026-4531 Overview
A denial of service vulnerability has been identified in Free5GC 4.1.0, specifically affecting the HandleRegistrationComplete function within the internal/gmm/handler.go file of the AMF (Access and Mobility Management Function) component. This weakness allows remote attackers to cause service disruption by manipulating the registration completion process without proper state validation.
Critical Impact
Remote attackers can disrupt 5G core network operations by exploiting improper resource cleanup in the AMF component, potentially affecting mobile network availability.
Affected Products
- Free5GC 4.1.0
- Free5GC AMF Component (versions prior to patch 52e9386401ce56ea773c5aa587d4cdf7d53da799)
Discovery Timeline
- 2026-03-22 - CVE CVE-2026-4531 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-4531
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). The flaw exists in the AMF component's handling of the registration completion process. The HandleRegistrationComplete function fails to properly validate the state of the T3550 timer before attempting to stop it. When a Registration Complete message is received unexpectedly (when T3550 is not running), the function proceeds without proper guard conditions, leading to improper resource management and potential denial of service conditions.
The vulnerability is remotely exploitable over the network without requiring authentication or user interaction. This makes it particularly concerning for 5G core network deployments where the AMF serves as a critical control plane function responsible for handling UE (User Equipment) registration and mobility management.
Root Cause
The root cause is a missing state validation check in the HandleRegistrationComplete function. The code fails to verify whether the T3550 timer is actively running before attempting to stop it. This oversight allows malformed or unexpected Registration Complete messages to trigger improper behavior in the GMM (GPRS Mobility Management) state machine, leading to resource handling issues.
Attack Vector
An attacker can remotely send crafted Registration Complete messages to the AMF component. Since the function lacks proper validation of the T3550 timer state, these messages can be processed even when the system is not in an appropriate state, causing denial of service conditions that impact the availability of the 5G core network infrastructure.
) error {
ue.GmmLog.Info("Handle Registration Complete")
+ if ue.T3550 == nil {
+ return fmt.Errorf("unexpected Registration Complete: T3550 not running")
+ }
ue.StopT3550()
// Release existed old SmContext when Initial Registration completed
Source: GitHub AMF Commit Update
Detection Methods for CVE-2026-4531
Indicators of Compromise
- Unexpected Registration Complete messages received when T3550 timer is not active
- Abnormal patterns of registration state transitions in AMF logs
- Service disruption or crashes in the AMF component following unusual NAS signaling activity
Detection Strategies
- Monitor AMF logs for error messages indicating unexpected Registration Complete processing
- Implement network-level monitoring for anomalous NAS (Non-Access Stratum) signaling patterns targeting the AMF
- Deploy intrusion detection rules to identify potential exploitation attempts against 5G core components
Monitoring Recommendations
- Enable detailed logging in the GMM handler to capture state machine transitions
- Set up alerts for AMF service restarts or availability degradation
- Monitor for repeated registration attempts from suspicious UE identities
How to Mitigate CVE-2026-4531
Immediate Actions Required
- Apply the security patch commit 52e9386401ce56ea773c5aa587d4cdf7d53da799 to the Free5GC AMF component
- Review and update to the latest Free5GC release that includes this fix
- Implement network segmentation to limit exposure of the AMF component to untrusted networks
Patch Information
The vulnerability has been addressed in commit 52e9386401ce56ea773c5aa587d4cdf7d53da799. The fix adds a guard condition to check if the T3550 timer is running before processing Registration Complete messages, returning an error if the message is received unexpectedly. Details are available in the GitHub AMF Pull Request and the GitHub Free5GC Issue Report.
Workarounds
- Implement network-level filtering to restrict access to the AMF component from untrusted sources
- Deploy rate limiting on NAS signaling interfaces to mitigate potential denial of service attempts
- Consider deploying a Web Application Firewall (WAF) or similar security controls in front of 5G core network functions
# Configuration example
# Restrict AMF access to trusted network segments only
# Example iptables rule to limit access to AMF service port
iptables -A INPUT -p tcp --dport 38412 -s <trusted_network_cidr> -j ACCEPT
iptables -A INPUT -p tcp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
