PatchSiren cyber security CVE debrief
CVE-2026-8779 omec-project CVE debrief
A memory corruption vulnerability exists in the OMEC Project AMF (Access and Mobility Management Function) software, affecting versions up to and including 2.1.3-dev. The flaw resides in the NGSetupRequest function within ngap/handler.go, where improper handling of the InformationElement argument can lead to memory corruption. This vulnerability is remotely exploitable and has been publicly disclosed. The CVSS 4.0 score of 2.1 (LOW severity) reflects limited availability impact with no confidentiality or integrity impact under the assessed vector. The weakness is categorized as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). A fix has been released in version 2.2.0, which addresses this issue along with multiple other security concerns in the same pull request.
- Vendor
- omec-project
- Product
- amf
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Telecommunications operators deploying OMEC Project's open-source 5G core network, particularly those using AMF versions prior to 2.2.0. Security teams managing 5G N2 interface exposure and network function virtualization infrastructure. Organizations relying on containerized or cloud-native AMF deployments should prioritize patching to prevent potential service disruption from crafted NGAP messages.
Technical summary
The vulnerability exists in the NGSetupRequest handler of the OMEC Project's open-source AMF implementation. The NGSetupRequest is a critical NGAP (Next Generation Application Protocol) message used to establish the N2 interface between the gNB (5G base station) and the AMF. Improper handling of the InformationElement argument in this function can trigger memory corruption, potentially causing denial of service or unpredictable behavior in the AMF. The attack vector is network-based and requires low attack complexity with no user interaction. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The fix was implemented in pull request #666 and released in version 2.2.0, which also addresses multiple other security issues.
Defensive priority
LOW
Recommended defensive actions
- Upgrade omec-project/amf to version 2.2.0 or later to remediate this vulnerability
- Review and apply the security fixes from pull request #666 which addresses multiple security issues
- Monitor for unauthorized NGAP (Next Generation Application Protocol) traffic targeting AMF NGSetupRequest endpoints
- Implement network segmentation to restrict AMF interface exposure to trusted N2 interfaces only
- Review memory safety practices in NGAP message handling code, particularly for InformationElement parsing
Evidence notes
Vulnerability identified in omec-project/amf repository. The NGSetupRequest function in ngap/handler.go fails to properly validate or handle the InformationElement argument, leading to memory corruption. The fix is contained in pull request #666 and released in version 2.2.0.
Official resources
Public disclosure occurred on 2026-05-18 with CVE publication. The exploit has been publicly disclosed and may be utilized.