Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A flaw has been found in omec-project amf up to 2.1.1. Affected by this issue is the function PDUSessionResourceModifyIndication of the file /go/src/amf/ngap/handler.go. This manipulation causes memory corruption. Remote exploitation of the attack is possible. The exploit has been published and may be used. Applying a patch is the recommended action to fix this issue.
AnalysisAI
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation via crafted NGAP PDUSessionResourceModifyIndication messages, allowing low-privileged attackers to achieve partial confidentiality, integrity, and availability impact on the Access and Mobility Management Function. A publicly available exploit exists (confirmed by CVSS E:P and GitHub issue #681), and an official vendor patch has been released in version 2.2.0 via PR #666. No CISA KEV listing was identified at time of analysis, so active widespread exploitation is not confirmed.
Technical ContextAI
The affected product is the OMEC Project's open-source 5G AMF (Access and Mobility Management Function), a Go-language implementation of the 3GPP 5G core network function responsible for N2 NGAP signaling with 5G RAN nodes (gNBs), identifiable via CPE cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:*. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a buffer overflow class, in the PDUSessionResourceModifyIndication handler within ngap/handler.go. The PR #666 diff reveals a systemic pattern of missing input validation: nil pointer dereferences throughout the NGAP dispatcher (ngap/dispatcher.go), unvalidated SUCI (Subscription Concealed Identifier) parsing in gmm/handler.go where PlmnIdStringToModels was called without error checking, empty-slice access in nas/nas_security/security.go for MobileIdentity5GSContents, and absence of UTF-8 validation for Prometheus label values in metrics/telemetry.go. The fixes add nil guards on SCTP LB messages, RAN context objects, connections, and NGAP PDUs, plus proper error propagation for malformed SUCI inputs, indicating the root cause is insufficient boundary and validity checking across untrusted NGAP and NAS input paths.
RemediationAI
Upgrade omec-project AMF to version 2.2.0, which incorporates the security fixes from PR #666 at https://github.com/omec-project/amf/pull/666. Note that while the VERSION file in the PR confirms the 2.2.0 release tag, this is from a GitHub PR/commit reference rather than a separately published release artifact - the patched version is inferred from the PR diff rather than independently confirmed via a tagged release announcement. The patch adds nil pointer validation throughout the NGAP dispatcher, proper error propagation for malformed SUCI identity parsing, and empty-slice guards in NAS security processing. If immediate upgrade is not feasible, restrict access to the AMF's NGAP interface (SCTP port 38412) to known, authorized gNB IP ranges via firewall or SCTP access controls - this reduces exposure by limiting who can deliver crafted NGAP messages, though it does not eliminate the vulnerability if a legitimate RAN node is compromised. Additional context is available via the VulDB entry at https://vuldb.com/vuln/365246.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31533
GHSA-m9r6-r5c3-jw4j