Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message specification requires InitiatingMessage but sent with successfulOutcome.
AnalysisAI
AMF daemon in OpenAirInterface V2.2.0 crashes upon receipt of malformed NGAP control-plane messages containing mismatched procedure codes or PDU type violations (e.g., successfulOutcome where InitiatingMessage is required). Remote attackers can trigger denial of service without authentication (CVSS AV:N/PR:N), exploiting improper input validation (CWE-20) in 5G core network signaling. Publicly available exploit code exists, SSVC framework classifies as automatable with partial technical impact, and EPSS data not provided but attack simplicity (AC:L) indicates low barrier to exploitation.
Technical ContextAI
OpenAirInterface 5G Core Network implements the Access and Mobility Management Function (AMF), a critical control-plane component in 5G standalone architecture responsible for connection and mobility management. The AMF communicates with gNodeBs (base stations) via the NG Application Protocol (NGAP), defined in 3GPP TS 38.413. NGAP uses Abstract Syntax Notation One (ASN.1) encoding with strict message structure requirements: each procedure must use the correct PDU choice (InitiatingMessage, SuccessfulOutcome, or UnsuccessfulOutcome). The vulnerability stems from CWE-20 (Improper Input Validation) where the AMF parser fails to gracefully reject NGAP messages with type mismatches or invalid procedure codes, instead triggering an unhandled exception or assertion failure that crashes the daemon. The affected CPE is incomplete (cpe:2.3:a:n/a:n/a) but the issue references explicitly identify OpenAirInterface CN5G AMF component version 2.2.0. This represents a protocol-level parsing flaw in telecommunications infrastructure software.
RemediationAI
Apply the vendor-provided fix tracked in GitLab merge request 414 at https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/merge_requests/414. The merge request contains code changes addressing NGAP message validation and error handling. Organizations should upgrade to the patched version once merged and released, or manually apply the commit if building from source. Interim mitigations include deploying network-level filtering to restrict NGAP message sources to trusted gNodeB IP addresses, implementing rate limiting on NGAP endpoints to reduce DoS impact, and enabling automated AMF restart mechanisms to minimize service disruption windows. Monitor AMF logs for parsing errors or unexpected crashes as indicators of exploitation attempts. For lab or non-production environments, consider isolating vulnerable instances from untrusted network segments until patching is complete. Validate NGAP message integrity using authenticated IPsec tunnels where supported by infrastructure.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19237
GHSA-3cfx-9xg9-hh68