Listen to this Post
How the CVE Works
The vulnerability arises in Free5GC v4.0.0 due to improper bounds checking in the AMF component when processing NGAP messages. An attacker can exploit this by sending a maliciously crafted Initial UE Message containing an oversized buffer in the `DecodePlainNasNoIntegrityCheck` function. This triggers a stack-based buffer overflow in `handleInitialUEMessageMain` via handler_generated.go, corrupting memory and leading to denial of service (DoS) or potential RCE due to insufficient validation in GetSecurityHeaderType.
DailyCVE Form
Platform: Free5GC
Version: 4.0.0
Vulnerability: Buffer Overflow
Severity: Critical
Date: 06/25/2025
Prediction: Patch by 08/15/2025
What Undercode Say
Analytics:
gdb -ex "disas handleInitialUEMessageMain" -ex "q" free5gc-amf strings libngap.so | grep "SecurityHeader"
How Exploit:
payload = b"\x41" 1024 + struct.pack("<Q", 0xdeadbeef)
send_ngap(ue_message=payload)
Protection from this CVE
– Apply vendor patch post-release.
– Enable stack canaries.
– Restrict NGAP port access.
Impact:
– Remote DoS/RCE.
– Compromised AMF service.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
