CVE-2026-5661 Overview
CVE-2026-5661 affects Free5GC 4.2.0, an open-source 5G core network implementation. The flaw resides in the NGSetupRequest handler within the Access and Mobility Management Function (AMF) component. An attacker can manipulate the handler remotely to trigger a denial of service condition against the 5G core. The vulnerability is classified under CWE-404: Improper Resource Shutdown or Release. Public exploit details are referenced through VulDB and the Free5GC GitHub project, increasing the likelihood of opportunistic exploitation against test labs and production deployments.
Critical Impact
Remote, unauthenticated attackers can crash or disrupt the Free5GC AMF service through crafted NGSetupRequest messages, degrading availability of the 5G core network.
Affected Products
- Free5GC 4.2.0
- Free5GC AMF component (NGSetupRequest Handler)
- Deployments using the affected amfcfg.yaml configuration
Discovery Timeline
- 2026-04-06 - CVE-2026-5661 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-5661
Vulnerability Analysis
The vulnerability resides in the Free5GC AMF's handling of NGSetupRequest messages, which gNodeB elements send to initiate NG interface association with the 5G core. The handler fails to properly release or manage resources when processing malformed or unexpected input, aligning with [CWE-404]. As a result, an unauthenticated remote attacker reaching the N2 interface can send crafted setup requests that cause the AMF process to enter an unstable state or terminate. The Free5GC maintainers tracked the issue through GitHub issue 832 and a corresponding pull request to the AMF repository.
Root Cause
The root cause is improper resource shutdown within the NGSetupRequest processing path. When the handler encounters unexpected message structures, it fails to clean up associated state objects or close connection resources gracefully. Repeated or malformed requests accumulate or directly destabilize the AMF runtime.
Attack Vector
The attack is launched over the network with no authentication or user interaction required. An adversary with access to the N2 signaling path, such as a rogue gNodeB, a compromised transport network, or a misconfigured exposure of the AMF SCTP endpoint, can deliver the malicious NGSetupRequest. Successful exploitation impacts availability of the AMF, disrupting UE registration and mobility procedures for downstream subscribers.
No verified proof-of-concept code is published in this advisory. Refer to the Free5GC issue tracker and the VulDB entry for technical details.
Detection Methods for CVE-2026-5661
Indicators of Compromise
- Unexpected restarts or crashes of the Free5GC AMF service shortly after receiving NG signaling traffic
- Anomalous NGSetupRequest messages originating from unknown or unauthorized gNodeB identifiers
- Spikes in SCTP association attempts targeting the AMF N2 interface from a single source
Detection Strategies
- Monitor AMF process health and log entries around NGSetupRequest handling for panics, stack traces, or abrupt exits
- Inspect SCTP traffic to the N2 interface for malformed NGAP PDUs or repeated setup attempts that fail decoding
- Correlate gNodeB identity values in setup requests against an allowlist defined in amfcfg.yaml
Monitoring Recommendations
- Enable verbose AMF logging during evaluation and forward logs to a central SIEM for pattern analysis
- Alert on AMF restart frequency exceeding baseline thresholds within short time windows
- Track NGAP setup failure counters exposed by Free5GC metrics endpoints
How to Mitigate CVE-2026-5661
Immediate Actions Required
- Restrict network access to the AMF N2 SCTP endpoint to known, authenticated gNodeB peers only
- Apply the upstream fix from the Free5GC AMF pull request 201 once merged into a release
- Audit amfcfg.yaml for exposure of the N2 interface on untrusted networks
Patch Information
The Free5GC project is addressing the issue through pull request 201 in the AMF repository. Operators should track the main Free5GC repository for a tagged release that incorporates the fix and upgrade promptly. Until a patched release is available, apply the changes manually from the pull request after validating them in a non-production environment.
Workarounds
- Place network access control lists between transport networks and the AMF, allowing only trusted gNodeB source addresses
- Deploy an SCTP-aware firewall or IPsec gateway to authenticate and filter N2 traffic
- Run the AMF under a process supervisor that automatically restarts the service while investigations and patching proceed
# Example iptables rule restricting AMF SCTP N2 access to a trusted gNodeB
iptables -A INPUT -p sctp --dport 38412 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

