PatchSiren cyber security CVE debrief
CVE-2026-8783 omec-project CVE debrief
CVE-2026-8783 is a low-severity but remotely reachable availability issue in omec-project amf. The vulnerability is described as a null pointer dereference in UERadioCapabilityCheckResponse within ngap/dispatcher.go, affecting versions up to 2.1.3-dev. The supplied source material states that the issue can be triggered remotely and that public exploitation details have been disclosed. Version 2.2.0 is identified as the fix.
- Vendor
- omec-project
- Product
- amf
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Teams operating omec-project amf, especially environments running versions up to 2.1.3-dev or any deployment that exposes the affected NGAP handling path to untrusted network traffic. Security and operations teams should prioritize this if service availability is important.
Technical summary
The source corpus describes a remote null pointer dereference in the UERadioCapabilityCheckResponse function in ngap/dispatcher.go. NVD lists the vulnerability with network attack vector and low availability impact, consistent with a denial-of-service style failure rather than code execution. The record also notes vulnerability status as Deferred and points to GitHub issue, pull request, and the v2.2.0 release as supporting references. The supplied description says the same pull request addresses multiple security issues.
Defensive priority
Moderate priority for exposed deployments. The CVSS score is low, but the issue is remotely reachable and publicly disclosed, so affected services that depend on amf availability should be patched promptly to reduce outage risk.
Recommended defensive actions
- Upgrade omec-project amf to version 2.2.0 as soon as practical.
- Inventory deployments to confirm whether any instance is running a version up to 2.1.3-dev.
- Review service exposure for the affected NGAP handling path and monitor for crashes or restarts around UERadioCapabilityCheckResponse processing.
- If immediate upgrade is not possible, apply compensating controls that reduce exposure of the affected service until patching is complete.
- Track the linked GitHub issue, pull request, and release notes for any additional security fixes bundled with the 2.2.0 update.
Evidence notes
The debrief is based on the supplied CVE description and NVD-modified source item dated 2026-05-18. The source description names omec-project amf, the affected function UERadioCapabilityCheckResponse in ngap/dispatcher.go, remote reachability, and version 2.2.0 as the fix. NVD metadata includes a CVSS v4.0 vector with network attack vector and availability impact only, plus weakness mappings to CWE-476 and CWE-404. The source item also lists GitHub references for the repository, issue #675, pull request #666, and the v2.2.0 release.
Official resources
Publicly disclosed in the supplied source description; CVE published on 2026-05-18. No exploit details are included here.