Description
A vulnerability was identified in omec-project amf up to 2.0.2/2.1.1. Impacted is an unknown function of the file /go/src/amf/ngap/handler.go of the component NGSetupRequest Handler. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is 34bc6724acc97dba1f8691e586da95b042cb612d. To fix this issue, it is recommended to deploy a patch.
Published: 2026-07-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the NGSetupRequest handler of Omec‑Project AMF allows an attacker to manipulate a request and cause the component to crash, resulting in a denial of service. The flaw is triggered by malformed input processed by the handler in handler.go and can be exploited remotely with no special authentication. Once executed, the service becomes unavailable for legitimate users until it is restarted. The vulnerability is classified as CWE‑404, indicating that a resource may be missing or inaccessible during operation.

Affected Systems

Versions of Omec‑Project AMF up to 2.0.2 and 2.1.1 are impacted. The affected component is the NGSetupRequest handler located in /go/src/amf/ngap/handler.go. Any deployment running one of these releases without the identified patch is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the moderate severity range. The EPSS score is not available, but the vulnerability has a publicly available exploit which suggests an actual threat level higher than the base score. It is not listed in the CISA KEV catalog. The attack vector is remote, requiring only network access to the AMF service. The exploit can be launched from anywhere with connectivity to the NGSetupRequest endpoint, making it a potentially widespread risk for exposed services.

Generated by OpenCVE AI on July 4, 2026 at 23:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Omec‑Project AMF to a version that includes commit 34bc6724acc97dba1f8691e586da95b042cb612d or later, which resolves the denial‑of‑service issue in the NGSetupRequest handler.
  • If an immediate upgrade is not feasible, temporarily disable or block the NGSetupRequest endpoint to prevent malicious requests from reaching the vulnerable handler.
  • Implement monitoring and rate‑limiting on the NGSetupRequest API to detect and mitigate repeated exploitation attempts, and consider blocking repeat offenders’ IP addresses.

Generated by OpenCVE AI on July 4, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in omec-project amf up to 2.0.2/2.1.1. Impacted is an unknown function of the file /go/src/amf/ngap/handler.go of the component NGSetupRequest Handler. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is 34bc6724acc97dba1f8691e586da95b042cb612d. To fix this issue, it is recommended to deploy a patch.
Title omec-project amf NGSetupRequest handler.go denial of service
First Time appeared Omec-project
Omec-project amf
Weaknesses CWE-404
CPEs cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:*
Vendors & Products Omec-project
Omec-project amf
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Omec-project Amf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T10:15:10.107Z

Reserved: 2026-07-03T17:01:03.539Z

Link: CVE-2026-14624

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:00:16Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release