This work addresses a critical gap in existing 5G terminal security testing, which predominantly focuses on syntactically invalid inputs while overlooking baseband vulnerabilities arising from protocol field constraint violations or cross-field semantic inconsistencies during the pre-authentication phase. To bridge this gap, the authors propose Constraint-Guided Semantic Testing (ConSeT), a novel framework that introduces semantic consistency validation into 5G pre-authentication testing for the first time. ConSeT parses RRC message structures, extracts protocol specification constraints, and leverages a constrained large language model to infer cross-field dependencies, enabling the automatic generation of syntactically valid yet semantically violating test cases. Evaluation on commercial devices uncovered seven previously unknown vulnerabilities—including three high-severity CVEs—affecting 64 chipsets and 542 device models, while triggering 29 distinct crash points in the open-source OAI UE, thereby exposing a new attack surface where semantic conflicts can induce baseband crashes.

Modern 5G user equipment (UE) processes Radio Resource Control (RRC) configuration messages during early control-plane exchanges, before authentication and integrity protection are established. Prior work for testing 5G UEs has largely focused on constructing syntactically invalid inputs. In contrast, we show that syntactically valid but semantically inconsistent messages, which violate specification-level field constraints or cross-field dependencies, can drive baseband implementations into invalid states, triggering assertion failures or modem crashes. These findings reveal semantic inconsistencies in pre-authentication signaling as a critical yet underexplored attack surface in 5G UE implementations. To address this gap, we present Constraint-Guided Semantic Testing (ConSeT), a framework that systematically extracts specification-level constraints and leverages them to generate targeted semantic violations for testing 5G UEs. ConSeT decodes RRC messages into structured fields, derives schema-based rules, infers cross-field dependencies using a Large Language Model (LLM) in an evidence-bounded manner, and produces syntactically valid test cases that intentionally violate semantic constraints. We evaluate ConSeT on both commercial and open-source 5G UEs. On commercial smartphones, it uncovers 7 previously unknown vulnerabilities through responsible disclosure, including 3 high-severity CVEs, affecting 64 chipset models and over 542 commercially available smartphone models. On the open-source OAI UE, ConSeT additionally triggers 29 distinct crash sites.