# AMF crash on POST /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update with unknown ueContextId #4339 ## Vulnerability Overview The Open5GS AMF module crashes (Segmentation fault) when processing a POST request to `/namf-comm/v1/ue-contexts/{ueContextId}/transfer-update` if the provided `ueContextId` does not exist. **Technical Details:** The request reaches `amf_nrf_comm_handle_registration_status_request()`. If `amf_ue_find_by_ue_context_id()` fails, the status code is set to 404. The code then jumps to the cleanup logic and attempts to dereference the `amf_ue` pointer, which is NULL at this point, causing a segmentation fault. ## Impact Scope * **Component:** Open5GS AMF (v2.7.7) * **Interface:** Nnrf_Communication SBI interface * **Consequence:** Process termination, leading to service unavailability. ## Remediation No specific code patch is currently provided on the page, but the line of code requiring a fix is identified: * `open5gs/src/amf/nrf-handler.c:1960`: Dereferencing `amf_ue` after cleanup, even when it is NULL. ## POC Code ```bash curl -X POST http://10.33.33.33/namf-comm/v1/ue-contexts/abc/transfer-update \ -H 'Content-type: application/json' \ -d '{"transferStatus": "NOT_TRANSFERRED"}' ```