Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues.
AnalysisAI
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger denial of service via crafted NGAP messages to the RANConfiguration function. The vulnerability (CVE-2026-8781) affects the Access and Mobility Management Function component of the Open Mobile Evolved Core, a critical element in 5G networks. Publicly available exploit code exists (GitHub issue #673), but CVSS 2.1 (Low) reflects limited availability impact and low-privilege authentication requirement. Vendor-released patch: version 2.2.0 (GitHub PR #666).
Technical ContextAI
The OMEC Project AMF (Access and Mobility Management Function) implements the 5G core network control plane handling UE registration and mobility. The vulnerability resides in ngap/handler.go's RANConfiguration function, which processes NGAP (NG Application Protocol) messages exchanged between the AMF and radio access network (RAN). CWE-476 (NULL Pointer Dereference) occurs when the code fails to validate input before dereferencing pointers, typically when parsing malformed SUCI (Subscription Concealed Identifier) data or NGAP PDU structures. The patch (PR #666) adds defensive null checks across multiple handlers (gmm/handler.go, ngap/dispatcher.go, nas/nas_security/security.go) and validates MobileIdentity5GS contents before processing. The CPE cpe:2.3:a:omec-project:amf identifies all versions prior to 2.2.0 as vulnerable. This affects deployments using OMEC as a 5G core solution, particularly in private 5G or edge computing scenarios.
RemediationAI
Upgrade OMEC Project AMF to version 2.2.0 or later, which includes comprehensive null-pointer checks introduced in GitHub pull request #666 (https://github.com/omec-project/amf/pull/666). The patch adds defensive validation across RANConfiguration (ngap/handler.go), HandleIdentityResponse (gmm/handler.go with new test coverage), DispatchLb and DispatchNgapMsg (ngap/dispatcher.go), and FetchUeContextWithMobileIdentity (nas/nas_security/security.go). Release artifact available at https://github.com/omec-project/amf/releases/tag/v2.2.0. If immediate upgrade is not feasible, implement strict input validation at NGAP ingress points: enforce SCTP association authentication via IPsec ESP or DTLS on N2 interface, restrict NGAP message acceptance to cryptographically verified gNodeB sources, and deploy rate limiting on registration requests to mitigate DoS impact. Note that workarounds reduce but do not eliminate risk - null pointer triggering depends on specific malformed SUCI or PDU structures that may bypass shallow validation. Monitor AMF process health and configure automatic restart on segmentation faults as a containment measure, though this introduces brief service interruption during recovery. Full remediation requires the vendor patch.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30726
GHSA-4qf2-p32m-7hmf