Skip to main content

OMEC AMF EUVDEUVD-2026-30731

| CVE-2026-8783 LOW
NULL Pointer Dereference (CWE-476)
2026-05-18 VulDB GHSA-6v92-ph9p-hrpc
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 18, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
May 18, 2026 - 04:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 18, 2026 - 03:44 vuln.today
Analysis Generated
May 18, 2026 - 03:44 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in omec-project amf up to 2.1.3-dev. This impacts the function UERadioCapabilityCheckResponse of the file ngap/dispatcher.go. Such manipulation leads to null pointer dereference. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2.0 will fix this issue. Upgrading the affected component is advised. The same pull request fixes multiple security issues.

AnalysisAI

Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows authenticated remote attackers to trigger denial of service via crafted NGAP UERadioCapabilityCheckResponse messages. The vulnerability exists in ngap/dispatcher.go where insufficient null pointer validation permits exploitation through the 5G network interface. Public exploit code exists (GitHub issue #675), and vendor-released patch v2.2.0 is available via PR #666, which also addresses multiple related security issues in NGAP message handling and mobile identity parsing.

Technical ContextAI

OMEC (Open Mobile Evolved Core) AMF implements the 3GPP Access and Mobility Management Function for 5G standalone core networks. The vulnerability (CWE-476) affects the NGAP (NG Application Protocol) dispatcher in ngap/dispatcher.go, specifically in UERadioCapabilityCheckResponse message processing. NGAP is the control-plane protocol between 5G radio access networks (gNB) and the core AMF. The patch evidence shows multiple missing null-pointer checks in dispatcher.go (lines handling sctplbMsg, ran context, connection objects, and NGAP PDUs), plus related input validation failures in gmm/handler.go (PLMN ID parsing from SUCI) and nas/nas_security/security.go (empty MobileIdentity5GSContents). The code serves SCTP-based 5G signaling traffic and metrics telemetry. GitHub PR #666 adds defensive null checks across message ingestion paths and improves UTF-8 validation for Prometheus label values, preventing crashes when malformed or missing data structures are processed.

RemediationAI

Upgrade to OMEC AMF version 2.2.0 or later, confirmed fixed per vendor release tag https://github.com/omec-project/amf/releases/tag/v2.2.0 and pull request https://github.com/omec-project/amf/pull/666. The patch adds null-pointer validation in ngap/dispatcher.go (checks for nil sctplbMsg, ran, conn, pdu before dereferencing), error handling for PLMN ID parsing in gmm/handler.go, and empty-buffer checks in nas/nas_security/security.go. If immediate upgrade is not feasible, implement network-level access controls restricting NGAP SCTP connections to trusted gNB IP addresses only (reduces attack surface to compromised base stations), and enable verbose logging in ngap/dispatcher.go to detect repeated null-pointer errors indicative of exploitation attempts - note this mitigation does not prevent crashes but aids incident detection. Monitor AMF process restarts and correlate with NGAP message types in logs. No configuration-based workaround exists as the bug is in core message processing logic. Patching is strongly recommended as PR #666 addresses multiple related null-pointer and input validation issues beyond this single CVE.

More in Amf

View all
CVE-2025-69248 HIGH POC
7.5 Feb 23

free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of fr

CVE-2026-14623 LOW POC
2.1 Jul 04

Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privil

CVE-2026-14624 LOW POC
2.1 Jul 04

Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allo

CVE-2026-8782 LOW POC
2.1 May 18

Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access

CVE-2026-8781 LOW POC
2.1 May 18

Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger d

CVE-2026-9301 LOW POC
2.1 May 23

Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticate

CVE-2026-9300 LOW POC
2.1 May 23

Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows networ

CVE-2026-9299 LOW POC
2.1 May 23

Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation

CVE-2026-9298 LOW POC
2.1 May 23

Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticat

CVE-2026-8780 LOW POC
2.1 May 18

Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-seve

CVE-2026-8779 LOW POC
2.1 May 18

Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers

CVE-2026-8349 LOW POC
2.1 May 11

Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed m

Share

EUVD-2026-30731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy