Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in omec-project amf up to 2.1.1. This affects an unknown part of the component NGSetupRequest Handler. Such manipulation leads to memory corruption. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. It is best practice to apply a patch to resolve this issue.
AnalysisAI
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows network-adjacent authenticated attackers to corrupt process memory via crafted NGAP messages or malformed SUCI values, affecting confidentiality, integrity, and availability. The vulnerability stems from missing nil-pointer guards in the NGAP dispatcher and absent input validation when parsing Subscription Concealed Identifiers (SUCI) during UE registration and identity response flows. Exploit code has been publicly disclosed (GitHub issue #679), and no public exploit identified at time of analysis confirms active KEV exploitation, though the CVSS temporal vector E:P confirms proof-of-concept availability.
Technical ContextAI
The affected component is the omec-project AMF, a 5G core network function implementing the N2 interface (NGAP protocol) toward gNBs and NAS signaling toward user equipment. The CPE cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:* covers all versions through at least 2.1.1 per the CVE description (the PR diff shows pre-fix version was '2.1.3-dev', indicating the vulnerable range may extend beyond 2.1.1). CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) describes the root cause class, manifesting as nil-pointer dereferences and missing bounds checks in the NGAP dispatcher (ngap/dispatcher.go) and NAS/GMM handler (gmm/handler.go, nas/nas_security/security.go). Specific code paths: the PlmnIdStringToModels function called during SUCI parsing had no error return path, allowing a malformed SUCI in a RegistrationRequest or IdentityResponse to propagate an invalid value directly into the UE context. Additionally, the NGAP dispatcher lacked nil guards on SCTP LB messages, RAN context, connection objects, and NGAP PDUs, creating multiple dereference paths via a crafted NGSetupRequest.
RemediationAI
Upgrade to omec-project AMF version 2.2.0, which contains the security fixes merged in GitHub PR #666 (https://github.com/omec-project/amf/pull/666). The patch is available as an upstream fix with the VERSION file explicitly bumped to 2.2.0; a formally released tagged version at 2.2.0 should be confirmed via the project repository before deployment. The patch addresses nil-pointer dereferences in the NGAP dispatcher by adding guards on SCTP LB messages, RAN context objects, connections, and NGAP PDUs, and adds proper error propagation for invalid SUCI parsing in RegistrationRequest and IdentityResponse handlers. If immediate upgrade is not possible, operators should restrict N2 interface access (SCTP port 38412) to known, trusted gNB IP addresses via firewall or SCTP access control lists, reducing exposure to only authenticated RAN equipment. This workaround limits the network attack surface but does not eliminate the vulnerability for environments where gNB credentials or IP ranges may be compromised. Monitor for abnormal AMF process crashes or restarts as an indicator of exploitation attempts.
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr
Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil
Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers
Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31534
GHSA-6p7m-c3mw-4gmw