Skip to main content

omec-project AMF CVE-2026-9299

| EUVDEUVD-2026-31533 LOW
Buffer Overflow (CWE-119)
2026-05-23 VulDB GHSA-m9r6-r5c3-jw4j
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 26, 2026 - 19:52 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:52 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 23, 2026 - 11:31 vuln.today
Analysis Generated
May 23, 2026 - 11:31 vuln.today

DescriptionCVE.org

A flaw has been found in omec-project amf up to 2.1.1. Affected by this issue is the function PDUSessionResourceModifyIndication of the file /go/src/amf/ngap/handler.go. This manipulation causes memory corruption. Remote exploitation of the attack is possible. The exploit has been published and may be used. Applying a patch is the recommended action to fix this issue.

AnalysisAI

Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation via crafted NGAP PDUSessionResourceModifyIndication messages, allowing low-privileged attackers to achieve partial confidentiality, integrity, and availability impact on the Access and Mobility Management Function. A publicly available exploit exists (confirmed by CVSS E:P and GitHub issue #681), and an official vendor patch has been released in version 2.2.0 via PR #666. No CISA KEV listing was identified at time of analysis, so active widespread exploitation is not confirmed.

Technical ContextAI

The affected product is the OMEC Project's open-source 5G AMF (Access and Mobility Management Function), a Go-language implementation of the 3GPP 5G core network function responsible for N2 NGAP signaling with 5G RAN nodes (gNBs), identifiable via CPE cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:*. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a buffer overflow class, in the PDUSessionResourceModifyIndication handler within ngap/handler.go. The PR #666 diff reveals a systemic pattern of missing input validation: nil pointer dereferences throughout the NGAP dispatcher (ngap/dispatcher.go), unvalidated SUCI (Subscription Concealed Identifier) parsing in gmm/handler.go where PlmnIdStringToModels was called without error checking, empty-slice access in nas/nas_security/security.go for MobileIdentity5GSContents, and absence of UTF-8 validation for Prometheus label values in metrics/telemetry.go. The fixes add nil guards on SCTP LB messages, RAN context objects, connections, and NGAP PDUs, plus proper error propagation for malformed SUCI inputs, indicating the root cause is insufficient boundary and validity checking across untrusted NGAP and NAS input paths.

RemediationAI

Upgrade omec-project AMF to version 2.2.0, which incorporates the security fixes from PR #666 at https://github.com/omec-project/amf/pull/666. Note that while the VERSION file in the PR confirms the 2.2.0 release tag, this is from a GitHub PR/commit reference rather than a separately published release artifact - the patched version is inferred from the PR diff rather than independently confirmed via a tagged release announcement. The patch adds nil pointer validation throughout the NGAP dispatcher, proper error propagation for malformed SUCI identity parsing, and empty-slice guards in NAS security processing. If immediate upgrade is not feasible, restrict access to the AMF's NGAP interface (SCTP port 38412) to known, authorized gNB IP ranges via firewall or SCTP access controls - this reduces exposure by limiting who can deliver crafted NGAP messages, though it does not eliminate the vulnerability if a legitimate RAN node is compromised. Additional context is available via the VulDB entry at https://vuldb.com/vuln/365246.

More in Amf

View all
CVE-2025-69248 HIGH POC
7.5 Feb 23

free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr

CVE-2026-14623 LOW POC
2.1 Jul 04

Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil

CVE-2026-14624 LOW POC
2.1 Jul 04

Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo

CVE-2026-8783 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a

CVE-2026-8782 LOW POC
2.1 May 18

Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access

CVE-2026-8781 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d

CVE-2026-9301 LOW POC
2.1 May 23

Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate

CVE-2026-9300 LOW POC
2.1 May 23

Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ

CVE-2026-9298 LOW POC
2.1 May 23

Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat

CVE-2026-8780 LOW POC
2.1 May 18

Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve

CVE-2026-8779 LOW POC
2.1 May 18

Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers

CVE-2026-8349 LOW POC
2.1 May 11

Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m

Share

CVE-2026-9299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy