5gsecurityfree5gcdocker

Demonstrating 5G Core Availability Failures in free5GC

5G core network functions handle critical infrastructure traffic. This article documents three availability vulnerabilities in free5GC—memory growth, nil dereference, and missing IE panics—with controlled demo endpoints and root cause analysis.

ZakariaPublié 10 mai 202515 min de lecture
Demonstrating 5G Core Availability Failures in free5GC — 1

Introduction

5G core network functions (NFs) like the AMF and PCF handle authentication, registration, and policy for all connected devices. Availability failures in these NFs cascade to every connected gNB and UE.

This article covers three demonstrated vulnerabilities with synthetic trigger endpoints for educational purposes.

CVE-2026-41135: PCF Memory Growth

The PCF handler registers CORS middleware inside the request handler via router.Use(cors...). Each request adds another middleware instance to the Gin router, causing unbounded memory growth.

# Trigger: repeat GET requests
curl http://localhost:29503/noam-pcf/v1/config
# Observe memory growth
docker stats pcf

AMF Nil Dereference Panics

CVE-2026-4531 triggers a Registration Complete handler with uninitialized UE context. CVE-2026-30653 sends an Authentication Failure message missing the AuthenticationFailureParameter IE. Both cause nil pointer dereferences and process exit.

  • GET /vulnerable/registration-complete → nil registration context
  • GET /vulnerable/auth-failure → missing AuthenticationFailureParameter IE

Articles connexes

nestjssecurity

Layered Security in NestJS: Composing Guards for Real-World APIs

A practical guide to AuthGuard, VerifiedGuard, RolesGuard, and OwnershipGuard composition.

10 minLire l'article
nextjsprisma

Schema-First Portfolio CMS with Next.js and Prisma

How to migrate a developer portfolio from mock data to PostgreSQL without breaking public pages.

14 minLire l'article

Envie de discuter de ce sujet ou de collaborer sur un projet ?

Me contacter