CRITICAL🇵🇱 Wersja polska

CVE-2026-30079

CVSS 9.8v3.1pub. 2026-04-07upd. 2026-04-14

In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication.

🤖 AI Analysis
How it works

During the UE (User Equipment) registration procedure in the 5G Core Network, the AMF (Access and Mobility Management Function) component improperly handles messages received in unexpected order (CWE-288: Authentication Bypass Using an Alternate Path or Channel). When a SecurityModeComplete message is sent after an InitialUERegistration message — without prior proper authentication sequence completion — AMF first returns a registration rejection (registration reject), followed by acceptance (registration accept). As a result, the AMF state machine transitions to a registered state, despite authentication never being successfully completed.

Impact

An attacker can register a device in the 5G Core Network without any authentication, enabling unauthorized access to network resources, impersonation of legitimate subscribers, and potential disruption of telecommunications infrastructure operations.

Mitigation & patch

Patches available from the vendor should be applied according to the references (bug report: https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77). It is recommended to monitor the project repository and update to the version containing the patch immediately upon its release. Until the patch is implemented, consider restricting access to AMF interfaces exclusively to trusted network segments.

Who is affected

OpenAirInterface OAI-CN5G-AMF version V2.2.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openairinterface Oai Cn5g Amf

    APP
    Openairinterface
    2.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-30075HIGH7.5ten sam produkt

OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in processing UplinkNASTransport containing...

CVE-2026-30080HIGH7.5ten sam produkt

OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has sup...

CVE-2026-30078HIGH7.5ten sam produkt

OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PD...

CVE-2025-65805HIGH7.5ten sam produkt

OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized...

CVE-2025-66786HIGH7.5ten sam produkt

OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized ...