Skip to main content

OMEC AMF CVE-2026-9301

| EUVDEUVD-2026-31538 LOW
Buffer Overflow (CWE-119)
2026-05-23 VulDB GHSA-qm7q-rcm2-3frc
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 26, 2026 - 19:52 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:52 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 23, 2026 - 14:00 vuln.today
Analysis Generated
May 23, 2026 - 14:00 vuln.today

DescriptionCVE.org

A vulnerability was found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGReset Message Handler. Performing a manipulation results in memory corruption. The attack is possible to be carried out remotely. The exploit has been made public and could be used. It is recommended to apply a patch to fix this issue.

AnalysisAI

Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticated remote attackers to corrupt memory by sending malformed NGReset messages to the 5G core network component. The vulnerability stems from insufficient validation of PLMN ID strings in SUCI (Subscription Concealed Identifier) processing within the NGReset message handler. Public exploit code exists (GitHub issue #678), and vendor patch is available (PR #666 upgrading to version 2.2.0). EPSS data not available but exploit code publication increases real-world exploitation likelihood for targeted attacks against 5G core infrastructure.

Technical ContextAI

OMEC AMF is an open-source 5G core network Access and Mobility Management Function implementing 3GPP specifications for user equipment registration and mobility. The vulnerability (CWE-119: Memory Buffer Bounds) occurs in the NGReset message handler when processing SUCI mobile identities during UE context lookup. The flaw manifests in two code paths: HandleRegistrationRequest and HandleIdentityResponse functions in gmm/handler.go. These functions call util.PlmnIdStringToModels without validating the return error, allowing malformed PLMN ID strings in SUCI identities to trigger memory corruption. The NGReset procedure is part of NGAP (NG Application Protocol) used for signaling between gNodeB base stations and the AMF. The patch (PR #666) adds error handling for invalid SUCI decoding, validates UTF-8 strings in Prometheus telemetry labels to prevent injection of malformed data, adds nil-pointer checks in the NGAP dispatcher, and validates mobile identity content length before processing. CPE cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:* indicates all versions up to and including 2.1.1 are affected.

RemediationAI

Upgrade to OMEC AMF version 2.2.0 which contains comprehensive fixes per GitHub pull request https://github.com/omec-project/amf/pull/666. The patch adds error handling for SUCI PLMN ID decoding in gmm/handler.go (HandleRegistrationRequest and HandleIdentityResponse functions), implements input validation for mobile identity content length in nas/nas_security/security.go, adds nil-pointer checks in ngap/dispatcher.go for SCTP messages and NGAP PDUs, and sanitizes Prometheus label values to prevent UTF-8 injection. Review the VERSION file change confirming upgrade from 2.1.3-dev to 2.2.0. If immediate patching is not feasible, implement network-level access controls to restrict NGAP interface exposure exclusively to authenticated and trusted gNodeB endpoints using IPsec or TLS encryption with mutual authentication. Deploy anomaly detection for malformed NGAP NGReset messages with invalid SUCI formats at the SCTP layer before AMF processing-this requires deep packet inspection capable of parsing 3GPP ASN.1 encodings, with trade-off of increased latency (5-15ms) and inspection infrastructure costs. Monitor AMF logs for errors related to SUCI decoding failures and PLMN ID parsing as potential exploitation indicators. These mitigations reduce but do not eliminate risk since they rely on perimeter defenses rather than fixing the underlying memory corruption vulnerability.

More in Amf

View all
CVE-2025-69248 HIGH POC
7.5 Feb 23

free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr

CVE-2026-14623 LOW POC
2.1 Jul 04

Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil

CVE-2026-14624 LOW POC
2.1 Jul 04

Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo

CVE-2026-8783 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows a

CVE-2026-8782 LOW POC
2.1 May 18

Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access

CVE-2026-8781 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d

CVE-2026-9300 LOW POC
2.1 May 23

Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ

CVE-2026-9299 LOW POC
2.1 May 23

Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation

CVE-2026-9298 LOW POC
2.1 May 23

Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat

CVE-2026-8780 LOW POC
2.1 May 18

Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve

CVE-2026-8779 LOW POC
2.1 May 18

Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers

CVE-2026-8349 LOW POC
2.1 May 11

Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m

Share

CVE-2026-9301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy