Description
A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues.
Published: 2026-05-18
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a null pointer dereference triggered within the RANConfiguration function of the ngap/handler.go file when an attacker crafts a malformed message. This flaw can cause the amf service to crash or become unresponsive, leading to a denial of service for users relying on the 5G core network. The patch does not provide evidence of code execution or privilege escalation.

Affected Systems

Omec‑project amf versions up to and including 2.1.3‑dev are affected. Upgrading to release 2.2.0 removes the flaw by adding proper null checks before processing RANConfiguration data.

Risk and Exploitability

This issue carries a CVSS score of 5.3, indicating moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. The description states that the exploit can be launched remotely and that a public exploit has been released, so an attacker can remotely send a crafted NGAP packet to trigger the crash without additional access.

Generated by OpenCVE AI on May 18, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade amf to version 2.2.0, which applies the necessary null‑check fix.
  • Configure the NGAP input validator to reject or log malformed RANConfiguration messages before processing.
  • Monitor amf logs and service uptime to detect any unexpected crashes or repeated denial‑of‑service events.

Generated by OpenCVE AI on May 18, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues.
Title omec-project amf handler.go RANConfiguration null pointer dereference
First Time appeared Omec-project
Omec-project amf
Weaknesses CWE-404
CWE-476
CPEs cpe:2.3:a:omec-project:amf:*:*:*:*:*:*:*:*
Vendors & Products Omec-project
Omec-project amf
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Omec-project Amf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-18T10:02:58.282Z

Reserved: 2026-05-17T09:55:58.968Z

Link: CVE-2026-8781

cve-icon Vulnrichment

Updated: 2026-05-18T10:02:53.144Z

cve-icon NVD

Status : Received

Published: 2026-05-18T02:16:37.570

Modified: 2026-05-18T02:16:37.570

Link: CVE-2026-8781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T04:00:15Z

Weaknesses