Vulnerability-Lookup

CVE-2026-41136 (GCVE-0-2026-41136)

Vulnerability from cvelistv5 – Published: 2026-04-21 23:54 – Updated: 2026-04-22 13:11

Title

free5GC AMF missing default case in Content-Type switch in HTTPUEContextTransfer

Summary

free5GC AMF provides Access & Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix.

Severity ?

5.5 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-440 - Expected Behavior Violation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/free5gc/free5gc/security/advis…	x_refsource_CONFIRM
	https://github.com/free5gc/amf/releases/tag/v1.4.3	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	free5gc	amf	Affected: < 1.4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41136",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T13:11:04.474863Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T13:11:10.206Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "amf",
          "vendor": "free5gc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "free5GC AMF provides Access \u0026 Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440: Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T23:54:36.727Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
        },
        {
          "name": "https://github.com/free5gc/amf/releases/tag/v1.4.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/amf/releases/tag/v1.4.3"
        }
      ],
      "source": {
        "advisory": "GHSA-r99v-75p9-xqm5",
        "discovery": "UNKNOWN"
      },
      "title": "free5GC AMF missing default case in Content-Type switch in HTTPUEContextTransfer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41136",
    "datePublished": "2026-04-21T23:54:36.727Z",
    "dateReserved": "2026-04-17T12:59:15.738Z",
    "dateUpdated": "2026-04-22T13:11:10.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41136",
      "date": "2026-04-25",
      "epss": "0.00026",
      "percentile": "0.07292"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41136\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-22T00:16:29.423\",\"lastModified\":\"2026-04-23T19:39:32.100\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"free5GC AMF provides Access \u0026 Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-440\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:free5gc:amf:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"1.4.3\",\"matchCriteriaId\":\"564C38AF-05C1-4D86-809E-47ED1663D8C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.2.1\",\"matchCriteriaId\":\"AA20AB40-343A-4B48-9B29-2A700DEC58B8\"}]}]}],\"references\":[{\"url\":\"https://github.com/free5gc/amf/releases/tag/v1.4.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}

GHSA-R99V-75P9-XQM5

Vulnerability from github – Published: 2026-04-22 19:54 – Updated: 2026-04-22 19:54

Summary

free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer

Details

Summary

The HTTPUEContextTransfer handler in internal/sbi/api_communication.go does not include a default case in the Content-Type switch statement. When a request arrives with an unsupported Content-Type, the deserialization step is silently skipped, err remains nil, and the processor is invoked with a completely uninitialized UeContextTransferRequest object.

Details

In internal/sbi/api_communication.go, the HTTPUEContextTransfer function handles the Content-Type header with a switch statement that only covers application/json and multipart/related:

switch str[0] {
case applicationjson:
    err = openapi.Deserialize(ueContextTransferRequest.JsonData, requestBody, contentType)
case multipartrelate:
    err = openapi.Deserialize(&ueContextTransferRequest, requestBody, contentType)
// no default case
}

if err != nil {
    // skipped entirely when Content-Type is unsupported
    c.JSON(http.StatusBadRequest, rsp)
    return
}

s.Processor().HandleUEContextTransferRequest(c, ueContextTransferRequest)

This is inconsistent with the two analogous handlers in the same file, HTTPCreateUEContext and HTTPN1N2MessageTransfer, which both correctly include a default branch:

default:
    err = fmt.Errorf("wrong content type")

The fix is simply to add the same default case to HTTPUEContextTransfer.

PoC

With a free5GC deployment running, send a POST request to the UE context transfer endpoint using any unsupported Content-Type (e.g. text/plain):

curl -s -X POST "http://<AMF_IP>/namf-comm/v1/ue-contexts/<ueContextId>/transfer" \\
  -H "Content-Type: text/plain" \\
  -d '{"test":"data"}' \\
  -i

Expected (correct) behavior: 400 Bad Request from the SBI layer, rejecting the request due to unsupported Content-Type — consistent with HTTPCreateUEContext.

Actual (observed) behavior: The SBI-layer error check is bypassed and the processor is reached with an empty request object, returning:

HTTP/1.1 400 Bad Request
{"status": 400, "cause": "MANDATORY_IE_MISSING"}

The MANDATORY_IE_MISSING cause originates from the processor's internal validation, not from the SBI handler — confirming the processor was called with an uninitialized struct.

Impact

The endpoint is an inter-NF SBI API used during AMF-to-AMF UE context handover. It is not directly reachable from external UEs and requires access to the internal 5GC SBI network. The processor's secondary mandatory field validation prevents any unintended state modification, so there is no direct exploitability. However, the SBI handler layer is the intended first line of defense — relying on the processor to compensate for a missing input check increases fragility and violates defense in depth. Any future change to the processor's validation logic could inadvertently expose the system to processing completely empty request objects.

Severity ?

5.5 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/amf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T19:54:54Z",
    "nvd_published_at": "2026-04-22T00:16:29Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object.\n\n## Details\n\nIn `internal/sbi/api_communication.go`, the `HTTPUEContextTransfer` function handles the `Content-Type` header with a switch statement that only covers `application/json` and `multipart/related`:\n\n```go\nswitch str[0] {\ncase applicationjson:\n    err = openapi.Deserialize(ueContextTransferRequest.JsonData, requestBody, contentType)\ncase multipartrelate:\n    err = openapi.Deserialize(\u0026ueContextTransferRequest, requestBody, contentType)\n// no default case\n}\n\nif err != nil {\n    // skipped entirely when Content-Type is unsupported\n    c.JSON(http.StatusBadRequest, rsp)\n    return\n}\n\ns.Processor().HandleUEContextTransferRequest(c, ueContextTransferRequest)\n```\n\nThis is inconsistent with the two analogous handlers in the same file, `HTTPCreateUEContext` and `HTTPN1N2MessageTransfer`, which both correctly include a `default` branch:\n\n```go\ndefault:\n    err = fmt.Errorf(\"wrong content type\")\n```\n\nThe fix is simply to add the same `default` case to `HTTPUEContextTransfer`.\n\n## PoC\n\nWith a free5GC deployment running, send a POST request to the UE context transfer endpoint using any unsupported `Content-Type` (e.g. `text/plain`):\n\n```bash\ncurl -s -X POST \"http://\u003cAMF_IP\u003e/namf-comm/v1/ue-contexts/\u003cueContextId\u003e/transfer\" \\\\\n  -H \"Content-Type: text/plain\" \\\\\n  -d \u0027{\"test\":\"data\"}\u0027 \\\\\n  -i\n```\n\n**Expected (correct) behavior:** `400 Bad Request` from the SBI layer, rejecting the request due to unsupported Content-Type \u2014 consistent with `HTTPCreateUEContext`.\n\n**Actual (observed) behavior:** The SBI-layer error check is bypassed and the processor is reached with an empty request object, returning:\n\n```\nHTTP/1.1 400 Bad Request\n{\"status\": 400, \"cause\": \"MANDATORY_IE_MISSING\"}\n```\n\nThe `MANDATORY_IE_MISSING` cause originates from the processor\u0027s internal validation, not from the SBI handler \u2014 confirming the processor was called with an uninitialized struct.\n\n## Impact\n\nThe endpoint is an inter-NF SBI API used during AMF-to-AMF UE context handover. It is not directly reachable from external UEs and requires access to the internal 5GC SBI network. The processor\u0027s secondary mandatory field validation prevents any unintended state modification, so there is no direct exploitability. However, the SBI handler layer is the intended first line of defense \u2014 relying on the processor to compensate for a missing input check increases fragility and violates defense in depth. Any future change to the processor\u0027s validation logic could inadvertently expose the system to processing completely empty request objects.",
  "id": "GHSA-r99v-75p9-xqm5",
  "modified": "2026-04-22T19:54:54Z",
  "published": "2026-04-22T19:54:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41136"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer"
}

FKIE_CVE-2026-41136

Vulnerability from fkie_nvd - Published: 2026-04-22 00:16 - Updated: 2026-04-23 19:39

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/free5gc/amf/releases/tag/v1.4.3	Product, Release Notes
security-advisories@github.com	https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	free5gc	amf	*
	free5gc	free5gc	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:free5gc:amf:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "564C38AF-05C1-4D86-809E-47ED1663D8C5",
              "versionEndExcluding": "1.4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA20AB40-343A-4B48-9B29-2A700DEC58B8",
              "versionEndIncluding": "4.2.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "free5GC AMF provides Access \u0026 Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix."
    }
  ],
  "id": "CVE-2026-41136",
  "lastModified": "2026-04-23T19:39:32.100",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-22T00:16:29.423",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/free5gc/amf/releases/tag/v1.4.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-440"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41136 (GCVE-0-2026-41136)

GHSA-R99V-75P9-XQM5

Summary

Details

PoC

Impact

FKIE_CVE-2026-41136

Tags

Sightings

Nomenclature