CVE-2026-5661 Overview
A denial of service vulnerability has been identified in Free5GC version 4.2.0. This vulnerability affects an unknown function within the NGSetupRequest Handler component of the Access and Mobility Management Function (AMF). Through manipulation of requests to this handler, an attacker can trigger a denial of service condition. The attack can be launched remotely over the network, making it a concern for organizations running Free5GC in production 5G core network deployments. The exploit has been reported as publicly available, increasing the urgency for affected organizations to apply mitigations.
Critical Impact
Remote attackers can disrupt 5G core network operations by targeting the AMF's NGSetupRequest Handler, potentially causing service outages for connected gNB (5G base stations) and user equipment.
Affected Products
- Free5GC 4.2.0
- Free5GC AMF (Access and Mobility Management Function) component
- 5G Core Network deployments using vulnerable Free5GC versions
Discovery Timeline
- 2026-04-06 - CVE-2026-5661 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-5661
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release), indicating that the NGSetupRequest Handler fails to properly manage resources when processing certain requests. The vulnerability exists in the AMF component, which is a critical network function in the 5G Service Based Architecture (SBA) responsible for handling registration, connection, and mobility management for user equipment.
When an attacker sends specially crafted NGSetupRequest messages to the AMF, the handler does not properly release or manage allocated resources. This improper resource handling can lead to resource exhaustion or a crash condition, resulting in denial of service. The network-based attack vector means that any attacker with network access to the N2 interface (the interface between gNB and AMF) could potentially exploit this vulnerability.
Root Cause
The root cause of CVE-2026-5661 lies in improper resource shutdown or release (CWE-404) within the NGSetupRequest Handler. When processing NG Setup procedures—which are used to establish associations between gNBs and the AMF—the handler fails to properly validate input or manage the lifecycle of allocated resources. This oversight allows malformed or malicious requests to trigger a condition where resources are not properly cleaned up, leading to service degradation or complete denial of service.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:
- Gaining network access to the N2 interface or any path that reaches the AMF's NGSetupRequest Handler
- Crafting malicious NGSetupRequest messages with specific manipulations
- Sending the crafted messages to the vulnerable AMF component
- Triggering improper resource handling that leads to denial of service
The vulnerability mechanism involves improper handling of NGSetupRequest messages in the AMF component. When the handler receives a malformed or specially crafted request, it fails to properly release allocated resources, which can lead to resource exhaustion and service disruption. For technical details and the proposed fix, see the GitHub Pull Request #201 and GitHub Issue #832.
Detection Methods for CVE-2026-5661
Indicators of Compromise
- Unusual volume of NGSetupRequest messages from unexpected sources
- AMF service crashes or restarts without scheduled maintenance
- Resource exhaustion indicators in AMF logs (memory/CPU spikes)
- Failed NG Setup procedures logged by connected gNBs
Detection Strategies
- Monitor N2 interface traffic for anomalous NGSetupRequest patterns using network intrusion detection systems
- Implement log analysis rules to detect repeated AMF service failures or restarts
- Deploy application-level monitoring to track resource consumption in the AMF component
- Use SentinelOne Singularity Platform to monitor containerized 5G core network functions for anomalous behavior
Monitoring Recommendations
- Enable detailed logging on the AMF component to capture all NGSetupRequest processing events
- Set up alerts for unexpected AMF service interruptions or resource utilization anomalies
- Monitor the Free5GC GitHub repository for security updates and patches
- Implement baseline monitoring for normal NG Setup traffic patterns to detect deviations
How to Mitigate CVE-2026-5661
Immediate Actions Required
- Review network access controls to restrict N2 interface access to authorized gNBs only
- Implement rate limiting on NGSetupRequest messages at the network perimeter
- Monitor AMF logs for signs of exploitation attempts
- Prepare for deployment of patches once officially released
Patch Information
A fix has been proposed for this vulnerability. Organizations should monitor the GitHub Pull Request #201 for the official patch status. The fix addresses the improper resource handling in the NGSetupRequest Handler. Once merged, organizations should update their Free5GC deployments to the patched version. Additional technical context is available in GitHub Issue #832 and VulDB #355485.
Workarounds
- Implement strict network segmentation to limit access to the N2 interface from untrusted networks
- Deploy a network firewall or security appliance to filter and validate NGSetupRequest messages before they reach the AMF
- Consider implementing connection limits from individual source addresses to reduce the impact of potential exploitation
- Use reverse proxy or API gateway solutions with rate limiting capabilities in front of the AMF service
# Example: Restrict N2 interface access using iptables (adjust IPs as needed)
# Allow only authorized gNB IP addresses to reach the AMF N2 port
iptables -A INPUT -p sctp --dport 38412 -s <authorized_gnb_ip> -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
