CVE-2026-30078 Overview
CVE-2026-30078 is a Denial of Service (DoS) vulnerability affecting OpenAirInterface V2.2.0, specifically within the Access and Mobility Management Function (AMF) component. The AMF crashes when it receives an NGAP (NG Application Protocol) message containing an invalid procedure code or an invalid PDU-type. This improper input validation flaw (CWE-20) can be exploited remotely by sending malformed NGAP messages, such as when the message specification requires an InitiatingMessage but is sent with a successfulOutcome instead.
Critical Impact
Remote attackers can crash the AMF component of OpenAirInterface 5G core network by sending specially crafted NGAP messages with invalid procedure codes or mismatched PDU types, causing service disruption to 5G network operations.
Affected Products
- OpenAirInterface V2.2.0
- OpenAirInterface AMF (oai-cn5g-amf)
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-30078 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-30078
Vulnerability Analysis
This vulnerability stems from improper input validation within the NGAP message handling routines of the OpenAirInterface AMF. The NGAP protocol, which operates between the 5G gNB (base station) and the AMF in the 5G Core network, uses a structured message format with specific procedure codes and PDU types (InitiatingMessage, SuccessfulOutcome, UnsuccessfulOutcome).
The AMF fails to properly validate incoming NGAP messages before processing them. When a message arrives with an unexpected PDU type or an invalid procedure code, the parsing logic encounters an unhandled condition that leads to a crash. This represents a classic input validation vulnerability where the application does not gracefully handle malformed or unexpected input data.
Root Cause
The root cause is classified under CWE-20 (Improper Input Validation). The AMF component does not perform adequate validation on the PDU-type field and procedure code values in incoming NGAP messages. When the message specification expects an InitiatingMessage PDU type but receives a successfulOutcome or other mismatched type, the message parsing code fails to handle this discrepancy, resulting in a crash condition. Similarly, invalid procedure codes are not properly rejected, leading to the same outcome.
Attack Vector
The attack can be executed remotely over the network by any entity capable of sending NGAP messages to the AMF. An attacker positioned on the N2 interface (the reference point between the RAN and the AMF) could craft and send malformed NGAP messages to trigger the vulnerability. The attack requires no authentication or user interaction, making it particularly dangerous in scenarios where the NGAP interface is accessible to untrusted network segments.
The exploitation mechanism involves constructing an NGAP message where the PDU-type field is intentionally mismatched with what the procedure code expects. For example, sending a successfulOutcome PDU type for a procedure that only accepts InitiatingMessage would trigger the crash. Technical details and the specific fix can be found in the Eurecom GitLab Issue #74.
Detection Methods for CVE-2026-30078
Indicators of Compromise
- Unexpected AMF process crashes or restarts without clear cause
- NGAP messages with mismatched PDU types in network traffic captures (e.g., successfulOutcome where InitiatingMessage is expected)
- Anomalous NGAP traffic patterns with invalid procedure codes
- Core dumps or crash logs from the AMF service indicating parsing failures
Detection Strategies
- Implement network monitoring on the N2 interface to detect malformed NGAP messages with invalid procedure codes or PDU-type mismatches
- Deploy intrusion detection rules that flag NGAP messages where the PDU-type does not match the expected type for a given procedure code
- Configure process monitoring to alert on repeated AMF service crashes or unexpected restarts
- Review AMF logs for parsing errors or exception messages related to NGAP message handling
Monitoring Recommendations
- Set up real-time alerting for AMF process health and availability
- Monitor 5G core network service continuity metrics for unexpected disruptions
- Implement network traffic analysis on NGAP interfaces to baseline normal behavior and detect anomalies
- Enable detailed logging for NGAP message processing to assist in post-incident analysis
How to Mitigate CVE-2026-30078
Immediate Actions Required
- Upgrade OpenAirInterface AMF to a patched version that addresses this vulnerability
- Restrict network access to the NGAP/N2 interface to only trusted gNB nodes
- Implement network-level filtering to block malformed NGAP messages where possible
- Monitor AMF service health and implement automatic restart policies as a temporary measure
Patch Information
A fix for this vulnerability has been developed and is available through Merge Request #414 on the Eurecom GitLab repository. Organizations running OpenAirInterface V2.2.0 should review and apply this merge request or upgrade to a version that includes this fix. The patch adds proper validation for NGAP message PDU types and procedure codes before processing.
Workarounds
- Implement network segmentation to ensure only authorized gNB nodes can communicate with the AMF on the N2 interface
- Deploy a network firewall or traffic inspection solution capable of filtering malformed NGAP messages
- Configure high-availability clustering for the AMF to minimize service disruption in case of a crash
- Implement rate limiting on the NGAP interface to slow down potential DoS attacks
# Configuration example - Network access restriction for AMF (iptables example)
# Restrict NGAP/SCTP traffic (port 38412) to known gNB IP addresses only
iptables -A INPUT -p sctp --dport 38412 -s <trusted_gnb_ip_1> -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -s <trusted_gnb_ip_2> -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
