Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security vulnerability has been detected in omec-project amf up to 2.1.3-dev. This impacts the function UERadioCapabilityCheckResponse of the file ngap/dispatcher.go. Such manipulation leads to null pointer dereference. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2.0 will fix this issue. Upgrading the affected component is advised. The same pull request fixes multiple security issues.
AnalysisAI
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows authenticated remote attackers to trigger denial of service via crafted NGAP UERadioCapabilityCheckResponse messages. The vulnerability exists in ngap/dispatcher.go where insufficient null pointer validation permits exploitation through the 5G network interface. Public exploit code exists (GitHub issue #675), and vendor-released patch v2.2.0 is available via PR #666, which also addresses multiple related security issues in NGAP message handling and mobile identity parsing.
Technical ContextAI
OMEC (Open Mobile Evolved Core) AMF implements the 3GPP Access and Mobility Management Function for 5G standalone core networks. The vulnerability (CWE-476) affects the NGAP (NG Application Protocol) dispatcher in ngap/dispatcher.go, specifically in UERadioCapabilityCheckResponse message processing. NGAP is the control-plane protocol between 5G radio access networks (gNB) and the core AMF. The patch evidence shows multiple missing null-pointer checks in dispatcher.go (lines handling sctplbMsg, ran context, connection objects, and NGAP PDUs), plus related input validation failures in gmm/handler.go (PLMN ID parsing from SUCI) and nas/nas_security/security.go (empty MobileIdentity5GSContents). The code serves SCTP-based 5G signaling traffic and metrics telemetry. GitHub PR #666 adds defensive null checks across message ingestion paths and improves UTF-8 validation for Prometheus label values, preventing crashes when malformed or missing data structures are processed.
RemediationAI
Upgrade to OMEC AMF version 2.2.0 or later, confirmed fixed per vendor release tag https://github.com/omec-project/amf/releases/tag/v2.2.0 and pull request https://github.com/omec-project/amf/pull/666. The patch adds null-pointer validation in ngap/dispatcher.go (checks for nil sctplbMsg, ran, conn, pdu before dereferencing), error handling for PLMN ID parsing in gmm/handler.go, and empty-buffer checks in nas/nas_security/security.go. If immediate upgrade is not feasible, implement network-level access controls restricting NGAP SCTP connections to trusted gNB IP addresses only (reduces attack surface to compromised base stations), and enable verbose logging in ngap/dispatcher.go to detect repeated null-pointer errors indicative of exploitation attempts - note this mitigation does not prevent crashes but aids incident detection. Monitor AMF process restarts and correlate with NGAP message types in logs. No configuration-based workaround exists as the bug is in core message processing logic. Patching is strongly recommended as PR #666 addresses multiple related null-pointer and input validation issues beyond this single CVE.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30731
GHSA-6v92-ph9p-hrpc