CVE-2026-9301 omec-project CVE debrief

Who should care

Telecommunications operators deploying open source 5G core networks; security teams managing private 5G infrastructure; DevOps engineers maintaining omec-project AMF deployments; network architects designing 5G security boundaries

Technical summary

The vulnerability exists in the NGReset message handler of the omec-project AMF implementation. The AMF is a critical 5G core network function responsible for access and mobility management. NGReset is an NG Application Protocol (NGAP) message used to reset the NG interface between the AMF and gNodeB. Improper bounds checking during NGReset message parsing leads to memory corruption. The attack requires network access to the AMF's NGAP interface and valid low-privilege credentials or context. Successful exploitation could result in limited impacts to confidentiality, integrity, and availability of the AMF function. The CVSS 4.0 score of 2.1 (LOW severity) reflects these constrained impact metrics despite the network attack vector and public exploit availability.

Defensive priority

LOW

Recommended defensive actions

• Upgrade omec-project AMF to a version containing the fix from pull request 666
• Monitor NGReset message handling for anomalous patterns in 5G core network traffic
• Apply principle of least privilege for AMF administrative access
• Review memory safety practices in NGAP message parsing code
• Subscribe to omec-project security advisories for patch availability notifications

Evidence notes

The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The CVSS 4.0 vector indicates network attack vector with low attack complexity, no user interaction required, but low privileges required (PR:L). The exploit is confirmed publicly available (E:P). Source references include the omec-project AMF GitHub repository, issue #678 tracking the vulnerability, and pull request #666 containing the proposed fix.

Official resources