Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in omec-project amf up to 2.1.3-dev. Impacted is the function NGSetupRequest of the file ngap/handler.go. Executing a manipulation of the argument InformationElement can lead to memory corruption. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.2.0 is recommended to address this issue. The affected component should be upgraded. The same pull request fixes multiple security issues.
AnalysisAI
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers to crash the 5G core network component by sending crafted NGAP NG Setup Request messages with malformed InformationElement fields. Affects OMEC AMF versions up to 2.1.3-dev. Publicly available exploit code exists (GitHub issue #671), and vendor patch released in version 2.2.0. CVSS 4.3 (Low severity) reflects low availability impact, requiring authentication (PR:L), but real-world risk is moderate for 5G network operators given public POC and critical infrastructure role of AMF in mobile core networks.
Technical ContextAI
The vulnerability affects the NGAP (NG Application Protocol) handler in omec-project/amf, specifically the NGSetupRequest function in ngap/handler.go. NGAP is the control plane protocol between 5G RAN (Radio Access Network) and AMF in the 5G core. The root cause is CWE-119 (Improper Restriction of Operations within Bounds of Memory Buffer), manifesting as insufficient input validation when parsing NGAP Information Elements. The patch (PR #666) adds defensive nil checks and validates PLMN ID decoding in multiple handlers (gmm/handler.go, nas/nas_security/security.go, ngap/dispatcher.go), preventing memory corruption from malformed SUCI (Subscription Concealed Identifier) and other identity fields. The fix also sanitizes Prometheus metrics labels to prevent non-UTF-8 injection. CPE cpe:2.3:a:omec-project:amf identifies this as the OMEC (Open Mobile Evolved Core) project's AMF component, a critical 5G core network function used in O-RAN and SD-Core deployments.
RemediationAI
Upgrade to OMEC AMF version 2.2.0 or later, released by vendor with fix confirmed via GitHub tag at https://github.com/omec-project/amf/releases/tag/v2.2.0. The patch (PR #666 at https://github.com/omec-project/amf/pull/666) addresses multiple security issues including nil pointer dereference checks, PLMN ID validation, SUCI decoding error handling, and metrics label sanitization. If immediate upgrade is not feasible, implement network-level compensating controls: (1) Restrict NGAP (N2 interface) access to authenticated, trusted gNodeB/RAN equipment only via IPsec or dedicated VPN tunnels - blocks remote unauthenticated attackers but does not prevent exploitation by compromised RAN nodes; (2) Deploy AMF behind stateful firewall with strict SCTP connection tracking and rate limiting on NG Setup Request messages - mitigates DoS amplification but may impact legitimate RAN registration under load; (3) Enable verbose NGAP logging and monitor for malformed InformationElement errors or repeated NG Setup failures from specific RAN sources - provides detection signal but no prevention. Note that workarounds do not eliminate risk if attacker has valid RAN credentials (PR:L). Vendor patch is the only complete remediation.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30724
GHSA-fxvj-wqv2-xgcq