PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8780 omec-project CVE debrief

A memory corruption vulnerability exists in the OMEC Project AMF (Access and Mobility Management Function) up to version 2.1.3-dev. The flaw resides in an unknown function within the NGAP Message Handler component, specifically in the file ngap/dispatcher.go. Remote attackers can exploit this vulnerability to trigger memory corruption. The CVSS 4.0 score of 2.1 reflects low severity with network attack vector, low attack complexity, and low availability impact. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Public exploit availability increases risk, though the overall severity remains limited by required privileges and impact scope.

Vendor
omec-project
Product
amf
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-18
Advisory published
2026-05-18
Advisory updated
2026-05-18

Who should care

Telecommunications operators deploying OMEC Project's open-source 5G core AMF; network security teams managing 5G standalone core infrastructure; vulnerability management programs tracking open-source telecom software

Technical summary

The vulnerability exists in the NGAP (Next Generation Application Protocol) Message Handler within ngap/dispatcher.go. Memory corruption can be triggered through remote manipulation of NGAP messages. The attack requires network access and low privileges but results in limited availability impact. The fix in version 2.2.0 addresses this and other security issues through pull request #666.

Defensive priority

medium

Recommended defensive actions

  • Upgrade omec-project/amf to version 2.2.0 or later to remediate this vulnerability
  • Review network segmentation for AMF deployments to limit exposure of NGAP interfaces
  • Monitor for anomalous NGAP traffic patterns that may indicate exploitation attempts
  • Verify that pull request #666 fixes are applied if running custom builds
  • Assess dependent 5G core network functions for cascading availability risks

Evidence notes

Vulnerability identified in omec-project/amf repository. Issue tracked as GitHub issue #670. Fix implemented via pull request #666, which addresses multiple security issues. Vendor released patched version 2.2.0. Vuldb submission reference 811617 and vulnerability entry 364404 provide additional context.

Official resources

2026-05-18