ActifDémarré avril 2025· Mis à jour mai 2025

free5GC Security Vulnerability Lab

Educational security lab with HTTP endpoints that trigger known CVE crash paths in free5GC AMF and PCF network functions—designed for demonstrating impact, observing logs, and explaining root causes.

Signaux d'expérience

CVEs demonstrated: 3
Network functions: AMF + PCF
Crash reproducibility: 100%

free5GCDocker ComposeGo5G CoreNAS ProtocolGTP5G

Voir la démo Source

Brief de recherche

Objectifs de l'expérience

1Deploy a controlled free5GC stack using Docker Compose with GTP5G kernel module
2Implement HTTP demo endpoints that trigger CVE-2026-41135 (PCF memory growth), CVE-2026-4531 (AMF nil deref), and CVE-2026-30653 (AMF auth failure panic)
3Document request patterns, expected crash behavior, and root cause analysis for each vulnerability
4Create a repeatable demo flow with docker logs observation and pass/fail verification

Apprentissages clés

CORS middleware registered inside request handlers causes unbounded memory growth (CVE-2026-41135)
NAS message handlers must validate context state before dereferencing registration fields (CVE-2026-4531)
Missing IE checks in Authentication Failure paths lead to nil pointer panics (CVE-2026-30653)
5G core NF crashes have cascading availability impact on connected gNB/UE sessions
Controlled lab endpoints are essential for responsible vulnerability disclosure demos

Visuels du labo

1 / 2

Journal d'expérience

Étapes documentées, notes d'architecture et résultats du processus de recherche.

Overview

This lab provides a controlled environment for demonstrating three availability vulnerabilities in the free5GC 5G core network functions. Each endpoint triggers a known crash or memory-growth path so observers can see the impact, analyze logs, and understand the root cause.

The lab is educational—not an exploit toolkit. Endpoints are synthetic triggers that exercise specific code paths documented in CVE reports.

CVE-2026-41135: PCF CORS middleware memory growth
CVE-2026-4531: AMF Registration Complete nil dereference
CVE-2026-30653: AMF Authentication Failure missing IE panic

Environment Setup

The lab runs free5GC via Docker Compose with the GTP5G kernel module (v0.9.5) for UPF support. MongoDB 4.4 is used for compatibility with CPUs lacking AVX instructions.

Install GTP5G kernel module v0.9.5
docker compose pull && docker compose up
Verify AMF and PCF containers are healthy
Access demo endpoints on exposed HTTP ports

Demo Flow

The recommended demo sequence triggers one vulnerability at a time, observes container logs, and documents the crash or memory growth pattern before proceeding to the next.

snippet

# 1. PCF memory growth
curl http://localhost:29503/noam-pcf/v1/config  # repeat 100x

# 2. AMF registration panic
curl http://localhost:29518/vulnerable/registration-complete

# 3. AMF auth failure panic
curl http://localhost:29518/vulnerable/auth-failure

# Observe
docker logs pcf
docker logs amf

Root Cause Analysis

CVE-2026-41135 occurs because the PCF handler calls router.Use(cors...) inside the request handler, registering a new middleware instance per request. Over hundreds of requests, memory grows until the process becomes unstable.

CVE-2026-4531 and CVE-2026-30653 are nil pointer dereferences in GMM handlers that assume registration state or IE presence without validation.

This lab documents the architecture decisions behind the zaki-ns Platform—Prisma schema design, JSON seed pipelines, withDbFallback getters, and revalidateTag patterns that keep admin edits visible on the public site without redeploying.

Actif