Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was identified in omec-project amf up to 2.1.3-dev. The affected element is an unknown function of the file ngap/dispatcher.go of the component NGAP Message Handler. The manipulation leads to memory corruption. The attack may be initiated remotely. The exploit is publicly available and might be used. Upgrading to version 2.2.0 is sufficient to fix this issue. It is suggested to upgrade the affected component. The same pull request fixes multiple security issues.
AnalysisAI
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-severity availability impact via malformed NGAP messages. The vulnerability resides in ngap/dispatcher.go where insufficient null-pointer validation and input sanitization in the NGAP message handler permits memory corruption. Public exploit code exists (GitHub issue #670) with vendor-released fix in version 2.2.0. Despite CVSS 2.1 base score, exploitation probability is low (CVSS:4.0 E:P indicates POC exists) and impact limited to partial availability degradation - authentication required (PR:L) and no confidentiality or integrity impact (VC:N/VI:N).
Technical ContextAI
The vulnerability affects the 5G Access and Mobility Management Function (AMF) component from the Open Networking Foundation's OMEC project, specifically the NGAP (Next Generation Application Protocol) message dispatcher in ngap/dispatcher.go. NGAP is the control-plane signaling protocol between 5G RAN (Radio Access Network) and the core network AMF. The flaw is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), manifesting as missing null-pointer checks before dereferencing SCTP load-balancer messages, RAN context objects, NGAP PDU structures, and mobile identity fields. Source code evidence from PR #666 shows multiple functions (dispatchLb, DispatchNgapMsg, NgapMsgHandler, FetchUeContextWithMobileIdentity) lacked defensive validation, allowing null or malformed data to propagate into memory operations. The patch adds explicit nil-checks and UTF-8 sanitization for Prometheus telemetry labels, preventing crashes from invalid SUCI (Subscription Concealed Identifier) parsing and malformed 5G mobile identity payloads. CPE cpe:2.3:a:omec-project:amf identifies the affected software as the standalone AMF network function implementation.
RemediationAI
Upgrade to omec-project AMF version 2.2.0 or later, which includes comprehensive input validation fixes via pull request #666 (https://github.com/omec-project/amf/pull/666). The patch adds null-pointer checks in dispatchLb, DispatchNgapMsg, NgapMsgHandler, and FetchUeContextWithMobileIdentity functions, plus UTF-8 validation for telemetry labels and error handling for malformed SUCI parsing. Release artifact available at https://github.com/omec-project/amf/releases/tag/v2.2.0. If immediate upgrade is infeasible, implement network-level controls: restrict NGAP connectivity to authenticated, trusted gNodeB endpoints only via firewall rules limiting TCP/SCTP port access to the AMF NGAP listener, deploy intrusion detection signatures to detect malformed NGAP message patterns (specifically null or undersized MobileIdentity5GSContents fields), and enable verbose NGAP message logging to detect exploitation attempts manifesting as repeated memory corruption errors or AMF process crashes. Note that restricting NGAP access breaks core 5G network functionality, so this is temporary defense-in-depth only - patching to 2.2.0 is the definitive fix. Monitor AMF process health and restart policies to ensure service resilience against potential crash-based denial of service during the vulnerable window.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30727
GHSA-3x4g-259h-5p7c