Skip to main content

omec-project AMF CVE-2026-9300

| EUVDEUVD-2026-31534 LOW
Buffer Overflow (CWE-119)
2026-05-23 VulDB GHSA-6p7m-c3mw-4gmw
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 26, 2026 - 19:52 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:52 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 23, 2026 - 12:31 vuln.today
Analysis Generated
May 23, 2026 - 12:31 vuln.today

DescriptionCVE.org

A vulnerability has been found in omec-project amf up to 2.1.1. This affects an unknown part of the component NGSetupRequest Handler. Such manipulation leads to memory corruption. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. It is best practice to apply a patch to resolve this issue.

AnalysisAI

Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows network-adjacent authenticated attackers to corrupt process memory via crafted NGAP messages or malformed SUCI values, affecting confidentiality, integrity, and availability. The vulnerability stems from missing nil-pointer guards in the NGAP dispatcher and absent input validation when parsing Subscription Concealed Identifiers (SUCI) during UE registration and identity response flows. Exploit code has been publicly disclosed (GitHub issue #679), and no public exploit identified at time of analysis confirms active KEV exploitation, though the CVSS temporal vector E:P confirms proof-of-concept availability.

Technical ContextAI

The affected component is the omec-project AMF, a 5G core network function implementing the N2 interface (NGAP protocol) toward gNBs and NAS signaling toward user equipment. The CPE cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:* covers all versions through at least 2.1.1 per the CVE description (the PR diff shows pre-fix version was '2.1.3-dev', indicating the vulnerable range may extend beyond 2.1.1). CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) describes the root cause class, manifesting as nil-pointer dereferences and missing bounds checks in the NGAP dispatcher (ngap/dispatcher.go) and NAS/GMM handler (gmm/handler.go, nas/nas_security/security.go). Specific code paths: the PlmnIdStringToModels function called during SUCI parsing had no error return path, allowing a malformed SUCI in a RegistrationRequest or IdentityResponse to propagate an invalid value directly into the UE context. Additionally, the NGAP dispatcher lacked nil guards on SCTP LB messages, RAN context, connection objects, and NGAP PDUs, creating multiple dereference paths via a crafted NGSetupRequest.

RemediationAI

Upgrade to omec-project AMF version 2.2.0, which contains the security fixes merged in GitHub PR #666 (https://github.com/omec-project/amf/pull/666). The patch is available as an upstream fix with the VERSION file explicitly bumped to 2.2.0; a formally released tagged version at 2.2.0 should be confirmed via the project repository before deployment. The patch addresses nil-pointer dereferences in the NGAP dispatcher by adding guards on SCTP LB messages, RAN context objects, connections, and NGAP PDUs, and adds proper error propagation for invalid SUCI parsing in RegistrationRequest and IdentityResponse handlers. If immediate upgrade is not possible, operators should restrict N2 interface access (SCTP port 38412) to known, trusted gNB IP addresses via firewall or SCTP access control lists, reducing exposure to only authenticated RAN equipment. This workaround limits the network attack surface but does not eliminate the vulnerability for environments where gNB credentials or IP ranges may be compromised. Monitor for abnormal AMF process crashes or restarts as an indicator of exploitation attempts.

More in Amf

View all
CVE-2025-69248 HIGH POC
7.5 Feb 23

free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr

CVE-2026-14623 LOW POC
2.1 Jul 04

Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil

CVE-2026-14624 LOW POC
2.1 Jul 04

Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo

CVE-2026-8783 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a

CVE-2026-8782 LOW POC
2.1 May 18

Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access

CVE-2026-8781 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d

CVE-2026-9301 LOW POC
2.1 May 23

Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate

CVE-2026-9299 LOW POC
2.1 May 23

Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation

CVE-2026-9298 LOW POC
2.1 May 23

Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat

CVE-2026-8780 LOW POC
2.1 May 18

Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve

CVE-2026-8779 LOW POC
2.1 May 18

Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers

CVE-2026-8349 LOW POC
2.1 May 11

Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m

Share

CVE-2026-9300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy