The vulnerability occurs in the NGSetupRequest function within the ngap/handler.go file of omec-project amf. A manipulation of the InformationElement argument can provoke memory corruption when the AMF processes an NGSetupRequest. The issue is described as a memory corruption bug that could destabilize the AMF or, potentially, enable more severe consequences such as code execution, though the official description does not explicitly claim this. The attack vectors that could exploit this flaw are described as remote. The vulnerability is publicly disclosed and may be used, indicating that an attacker can trigger the defect from outside the environment, for example by sending crafted NGSetupRequest messages. In terms of risk, the CVSS score is 5.3, which represents a medium severity. No EPSS data is currently available, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit is remotely exploitable and publicly known, the overall threat remains non‑negligible and should be addressed promptly.

Affected systems are those running omec-project amf versions up to 2.1.3-dev. The vulnerability exists in the NGSetupRequest handler and affects all deployments of the AMF component that host the ngap/handler.go logic. Administrators should verify that their AMF instances have not been upgraded beyond version 2.1.3-dev and plan a migration to version 2.2.0 or later for remediation.

The CVSS score of 5.3 indicates medium severity, reflecting a moderate impact on confidentiality, integrity, or availability. The EPSS score is not available, so current exploitation probability is unknown, but the vulnerability has been publicly disclosed and can be triggered remotely via crafted NGSetupRequest messages, indicating that an attacker can reach the flaw from outside the local network. Because it is not currently listed in the CISA KEV catalog, there is no confirmed widespread exploitation, yet the remote nature and public disclosure mean the risk remains non‑negligible and should be managed with timely patching.