Listen to this Post
Intro – How CVE-2026-42082 Works
The vulnerability resides in the Access and Mobility Management Function (AMF) of free5GC, an open‑source 5G core network implementation. Prior to version 4.2.2, the AMF fails to enforce concurrent security procedure rules mandated by 3GPP TS 33.501 §6.9.5.1. Specifically, the AMF does not check whether an N2 handover procedure is already ongoing before it initiates a NAS Security Mode Command (SMC). Conversely, during an active NAS SMC procedure, the AMF does not verify if a new N2 handover request has arrived.
In a standard 5G network, the NAS (Non‑Access Stratum) security context and the AS (Access Stratum) security context must remain synchronised between the User Equipment (UE) and the core network. The handover procedure (N2) establishes new AS security keys based on the current NAS context. The NAS SMC procedure updates the NAS security context itself. When both procedures run concurrently without proper locking or state checks, the AMF can send out‑of‑order security mode commands or handover commands.
As a result, the UE may derive an incorrect set of keys for the target gNB (next generation Node B) or for subsequent NAS messages. The network side might also hold a mismatched view of which security context is active. This breaks the security continuity required for a seamless handover. An attacker who can trigger a handover while simultaneously forcing a NAS SMC (e.g., through malicious signalling or by compromising a low‑privileged node) can induce this race condition.
The impact includes denial of service (the UE is dropped from the network), degraded ciphering/integrity protection, or a complete loss of session continuity. The issue violates the 3GPP requirement that “the AMF shall not start a new NAS SMC procedure if an N2 handover is pending” and vice versa. free5GC acknowledged the flaw and corrected it by adding mutual exclusion checks before launching either procedure. The fix is integrated into release 4.2.2.
DailyCVE Form:
Platform: free5GC AMF
Version: Before 4.2.2
Vulnerability: Concurrent procedure oversight
Severity: Medium
date: 27 May 2026
Prediction: Fixed version 4.2.2
What Undercode Say:
Analytics – Bash commands and logs to detect vulnerable AMF behaviour.
Check free5GC AMF version grep -i "version" /path/to/free5gc/amf/go.mod Simulate concurrent procedures using amf-cli (if available) amf-cli trigger n2-handover --ue-imsi 123456789012345 & amf-cli trigger nas-smc --ue-imsi 123456789012345 Monitor AMF logs for missing "ongoing handover" checks journalctl -u free5gc-amf -f | grep -E "NAS SMC|N2 Handover|security context" Extract conflicting sequence numbers from pcap tshark -r capture.pcap -Y "ngap.ProcedureCode == 13 || nas_5gs.MM.SMC" -T fields -e frame.time -e nas_5gs.smc.status
Exploit:
An attacker with ability to inject or time signalling messages can:
1. Initiate an N2 handover for a target UE (e.g., via a rogue gNB).
2. Immediately before the handover completes, send a NAS Security Mode Command request to the same UE.
3. The vulnerable AMF processes both requests without checking the other’s state.
4. The UE receives a new NAS SMC after already deriving AS keys for the handover target, causing key‑lifetime mismatch.
5. The UE fails subsequent integrity checks and is forced into a detached state or misrouted traffic.
Protection:
- Upgrade free5GC to version 4.2.2 or later.
- Apply the patch from commit `e3f7a2b` (adds mutual exclusion locks before NAS SMC and N2 handover).
- If patching is impossible, disable concurrent handover and NAS SMC processing via configuration (set `HandoverExclusive: true` in
amfcfg.yaml). - Monitor AMF logs for “handover and SMC overlap” warnings after patching.
Impact:
- UE session continuity loss – dropped calls, broken data sessions.
- Mismatched NAS/AS security contexts – potential man‑in‑the‑middle or downgrade of encryption.
- Service degradation for multiple UEs if the race condition is triggered repeatedly.
- Violation of 3GPP compliance for 5G SA (Standalone) deployments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

