CVE-2026-8782 omec-project CVE debrief

Who should care

Telecommunications operators deploying OMEC Project AMF in 5G core networks; security teams managing mobile core infrastructure; network engineers responsible for AMF NGAP interface security; organizations using open source 5G core implementations

Technical summary

The vulnerability exists in the NGAP (Next Generation Application Protocol) message handler component of the OMEC Project AMF, specifically within ngap/handler.go. A null pointer dereference can be triggered when processing malformed or unexpected NGAP messages, leading to service disruption. The attack vector is network-based with low attack complexity, but requires low-privileged authentication. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L) reflects network accessibility with availability impact as the primary concern. The fix in version 2.2.0 addresses this and additional security issues through comprehensive input validation and null pointer checks in the NGAP handler implementation.

Defensive priority

medium

Recommended defensive actions

• Upgrade OMEC Project AMF to version 2.2.0 or later to remediate this vulnerability
• Review network segmentation for AMF NGAP interfaces to limit attack exposure
• Monitor for anomalous NGAP message patterns that may indicate exploitation attempts
• Validate that AMF deployments are not exposed to untrusted networks without authentication controls
• Review pull request 666 changelog for additional security fixes included in the 2.2.0 release

Evidence notes

Vulnerability disclosed via VulDB and NVD on 2026-05-18. Exploit availability confirmed in source metadata. Fix confirmed through official GitHub release tagging and pull request merge.

Official resources