Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A weakness has been identified in omec-project amf up to 2.1.3-dev. This affects an unknown function of the file ngap/handler.go of the component NGAP Message Handler. This manipulation causes null pointer dereference. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.2.0 mitigates this issue. It is recommended to upgrade the affected component. The same pull request fixes multiple security issues.
AnalysisAI
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access and Mobility Management Function via crafted NGAP messages that trigger null pointer dereference in ngap/handler.go. Public exploit code exists (GitHub issue #674). Affects OMEC 5G core network deployments. Patched in version 2.2.0 via PR #666, which addresses multiple security issues including malformed SUCI handling and missing null checks across NGAP message parsing.
Technical ContextAI
The OMEC (Open Mobile Evolved Core) AMF is a 5G core network function implementing the Access and Mobility Management Function per 3GPP specifications. It handles registration, authentication, and mobility for 5G user equipment via the NGAP (Next Generation Application Protocol) interface with gNodeBs. This vulnerability (CWE-476) stems from missing null pointer validation in ngap/handler.go and related message processing paths. The source code diff reveals systemic insufficient error handling when parsing NGAP PDUs, SCTP load balancer messages, and NAS mobile identity fields (SUCI - Subscription Concealed Identifier). Specifically, the code failed to validate that mobileIdentity5GSContents, NGAP PDU objects, RAN context pointers, and SCTP connection objects were non-null before dereferencing, leading to null pointer exceptions when malformed or unexpected protocol messages arrived. The fix introduced defensive null checks at dispatcher and handler entry points plus improved PLMN ID decoding with explicit error returns.
RemediationAI
Upgrade to omec-project AMF version 2.2.0 or later, confirmed patched per vendor release notes at https://github.com/omec-project/amf/releases/tag/v2.2.0. The fix is delivered via PR #666 (https://github.com/omec-project/amf/pull/666), which addresses multiple null pointer vulnerabilities including the NGAP handler issue plus related input validation flaws in SUCI decoding and metrics telemetry. For environments unable to immediately upgrade, implement strict NGAP peer authentication and network segmentation to limit exposure to trusted gNodeB infrastructure only - restrict SCTP connectivity (typically port 38412) to known base station IP addresses via firewall rules. Monitor AMF logs for repeated restarts or null pointer exceptions in ngap/handler.go as indicators of exploitation attempts. Note that workarounds provide only partial mitigation since the vulnerability is in core protocol handling; the firewall restrictions reduce attack surface but do not eliminate risk from compromised or rogue base stations within the trust boundary. Plan upgrade during maintenance window as AMF restart will briefly disrupt 5G registrations.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30725
GHSA-6h8r-h22r-jj64