Skip to main content

OMEC AMF CVE-2026-9298

| EUVDEUVD-2026-31530 LOW
Buffer Overflow (CWE-119)
2026-05-23 VulDB GHSA-h3w8-h79v-64cv
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
6.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 26, 2026 - 19:52 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:52 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 23, 2026 - 11:01 vuln.today
Analysis Generated
May 23, 2026 - 11:01 vuln.today

DescriptionCVE.org

A vulnerability was detected in omec-project amf up to 2.1.1. Affected by this vulnerability is an unknown functionality of the component PathSwitchRequest Handler. The manipulation results in memory corruption. The attack may be launched remotely. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue.

AnalysisAI

Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticated remote attackers to corrupt memory by sending crafted NGAP or NAS messages targeting the PathSwitchRequest handler and related message processing paths. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:L/I:L/A:L) indicates low-complexity network exploitation requiring only low-privilege credentials, with partial impacts across confidentiality, integrity, and availability. Publicly available exploit code exists (confirmed by GitHub issue #680 and the E:P temporal modifier); no active exploitation is confirmed in CISA KEV.

Technical ContextAI

The omec-project AMF is an open-source 5G core network Access and Mobility Management Function implementing 3GPP TS 23.502 procedures, including NGAP (Next Generation Application Protocol) over SCTP for gNB-to-core communication and NAS (Non-Access Stratum) for UE signaling. The affected CPE is cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:* covering all versions through 2.1.1. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) is the root cause class. Analysis of PR #666 reveals the vulnerability is not isolated to a single handler: the patch adds nil/empty-slice guards on MobileIdentity5GSContents in the NAS security module (preventing out-of-bounds slice access), nil checks for SCTP LB messages, RAN contexts, connections, and NGAP PDUs throughout the NGAP dispatcher, and proper error propagation for PLMN ID parsing failures in the RegistrationRequest and IdentityResponse GMM handlers. The PathSwitchRequest handler - an NGAP procedure triggered when a UE performs an Xn-handover - shares the unguarded NGAP dispatcher code paths, making it a direct attack surface. Tags confirm the buffer overflow classification.

RemediationAI

Upgrade to omec-project AMF version 2.2.0, which is the fixed release introduced by PR #666 at https://github.com/omec-project/amf/pull/666. This PR adds nil-pointer guards across the NGAP dispatcher, bounds checking for NAS mobile identity contents, and proper error propagation for PLMN ID parsing - all of which collectively close the memory corruption paths. Note that version 2.2.0 is confirmed by the VERSION file change in the PR diff from '2.1.3-dev' to '2.2.0', but an independently published tagged release was not confirmed from the available reference data; operators should verify a tagged release exists on the GitHub repository before deploying. If immediate patching is not possible, restrict NGAP SCTP access (port 38412) to trusted gNB IP ranges using firewall or network segmentation, and limit NAS message ingestion to authenticated UE sessions only - these controls reduce the attack surface but do not eliminate the flaw since PR:L attackers with valid session credentials can still trigger the handlers. The trade-off of these compensating controls is potential disruption to legitimate handover procedures if allowlists are misconfigured.

More in Amf

View all
CVE-2025-69248 HIGH POC
7.5 Feb 23

free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr

CVE-2026-14623 LOW POC
2.1 Jul 04

Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil

CVE-2026-14624 LOW POC
2.1 Jul 04

Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo

CVE-2026-8783 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a

CVE-2026-8782 LOW POC
2.1 May 18

Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access

CVE-2026-8781 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d

CVE-2026-9301 LOW POC
2.1 May 23

Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate

CVE-2026-9300 LOW POC
2.1 May 23

Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ

CVE-2026-9299 LOW POC
2.1 May 23

Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation

CVE-2026-8780 LOW POC
2.1 May 18

Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve

CVE-2026-8779 LOW POC
2.1 May 18

Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers

CVE-2026-8349 LOW POC
2.1 May 11

Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m

Vendor StatusVendor

Share

CVE-2026-9298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy