Impact
A flaw in the NGSetupRequest handler of Omec‑Project AMF allows an attacker to manipulate a request and cause the component to crash, resulting in a denial of service. The flaw is triggered by malformed input processed by the handler in handler.go and can be exploited remotely with no special authentication. Once executed, the service becomes unavailable for legitimate users until it is restarted. The vulnerability is classified as CWE‑404, indicating that a resource may be missing or inaccessible during operation.
Affected Systems
Versions of Omec‑Project AMF up to 2.0.2 and 2.1.1 are impacted. The affected component is the NGSetupRequest handler located in /go/src/amf/ngap/handler.go. Any deployment running one of these releases without the identified patch is vulnerable.
Risk and Exploitability
The CVSS score of 5.3 places this issue in the moderate severity range. The EPSS score is not available, but the vulnerability has a publicly available exploit which suggests an actual threat level higher than the base score. It is not listed in the CISA KEV catalog. The attack vector is remote, requiring only network access to the AMF service. The exploit can be launched from anywhere with connectivity to the NGSetupRequest endpoint, making it a potentially widespread risk for exposed services.
OpenCVE Enrichment