Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in omec-project amf up to 2.1.1. Affected by this vulnerability is an unknown functionality of the component PathSwitchRequest Handler. The manipulation results in memory corruption. The attack may be launched remotely. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue.
AnalysisAI
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticated remote attackers to corrupt memory by sending crafted NGAP or NAS messages targeting the PathSwitchRequest handler and related message processing paths. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:L/I:L/A:L) indicates low-complexity network exploitation requiring only low-privilege credentials, with partial impacts across confidentiality, integrity, and availability. Publicly available exploit code exists (confirmed by GitHub issue #680 and the E:P temporal modifier); no active exploitation is confirmed in CISA KEV.
Technical ContextAI
The omec-project AMF is an open-source 5G core network Access and Mobility Management Function implementing 3GPP TS 23.502 procedures, including NGAP (Next Generation Application Protocol) over SCTP for gNB-to-core communication and NAS (Non-Access Stratum) for UE signaling. The affected CPE is cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:* covering all versions through 2.1.1. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) is the root cause class. Analysis of PR #666 reveals the vulnerability is not isolated to a single handler: the patch adds nil/empty-slice guards on MobileIdentity5GSContents in the NAS security module (preventing out-of-bounds slice access), nil checks for SCTP LB messages, RAN contexts, connections, and NGAP PDUs throughout the NGAP dispatcher, and proper error propagation for PLMN ID parsing failures in the RegistrationRequest and IdentityResponse GMM handlers. The PathSwitchRequest handler - an NGAP procedure triggered when a UE performs an Xn-handover - shares the unguarded NGAP dispatcher code paths, making it a direct attack surface. Tags confirm the buffer overflow classification.
RemediationAI
Upgrade to omec-project AMF version 2.2.0, which is the fixed release introduced by PR #666 at https://github.com/omec-project/amf/pull/666. This PR adds nil-pointer guards across the NGAP dispatcher, bounds checking for NAS mobile identity contents, and proper error propagation for PLMN ID parsing - all of which collectively close the memory corruption paths. Note that version 2.2.0 is confirmed by the VERSION file change in the PR diff from '2.1.3-dev' to '2.2.0', but an independently published tagged release was not confirmed from the available reference data; operators should verify a tagged release exists on the GitHub repository before deploying. If immediate patching is not possible, restrict NGAP SCTP access (port 38412) to trusted gNB IP ranges using firewall or network segmentation, and limit NAS message ingestion to authenticated UE sessions only - these controls reduce the attack surface but do not eliminate the flaw since PR:L attackers with valid session credentials can still trigger the handlers. The trade-off of these compensating controls is potential disruption to legitimate handover procedures if allowlists are misconfigured.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31530
GHSA-h3w8-h79v-64cv