CVE-2026-8779 Overview
CVE-2026-8779 is a memory corruption vulnerability in the omec-project Access and Mobility Management Function (AMF) component, affecting versions up to 2.1.3-dev. The flaw resides in the NGSetupRequest function within ngap/handler.go. An authenticated remote attacker can manipulate the InformationElement argument to trigger memory corruption [CWE-119]. The exploit has been publicly disclosed. The maintainers addressed this issue in version 2.2.0, which also bundles fixes for additional security defects under the same pull request.
Critical Impact
Remote manipulation of NGAP protocol input can corrupt memory within the AMF process, potentially impacting availability of the 5G core control plane.
Affected Products
- omec-project AMF versions up to and including 2.1.3-dev
- 5G core deployments that integrate the affected AMF component
- Downstream distributions packaging the vulnerable ngap/handler.go
Discovery Timeline
- 2026-05-18 - CVE-2026-8779 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8779
Vulnerability Analysis
The omec-project AMF implements the Next Generation Application Protocol (NGAP) used between the gNodeB and the 5G core. The vulnerability resides in the NGSetupRequest handler in ngap/handler.go, which processes Information Elements sent during NGAP session establishment. Manipulating the InformationElement argument triggers memory corruption inside the AMF process. The defect is classified as [CWE-119] — improper restriction of operations within the bounds of a memory buffer. Because the AMF terminates control-plane signaling from radio access network elements, corruption in this path can disrupt subscriber registration and mobility procedures.
Root Cause
The handler does not properly validate the size or structure of attacker-controlled fields within the NGAP NGSetupRequest message before performing memory operations. Insufficient bounds checking on the InformationElement argument allows out-of-range data to be written or read in adjacent buffers. The same pull request that introduces the fix consolidates remediation for multiple related parsing issues in the NGAP code path.
Attack Vector
The attack is network-based and requires the attacker to deliver a crafted NGAP NGSetupRequest to the AMF's SCTP listener. An attacker positioned to reach the AMF control-plane interface — for example, a compromised or rogue gNodeB, a misconfigured exposed N2 interface, or an attacker with lateral movement into the operator network — can submit malformed Information Elements. Successful exploitation produces memory corruption within the AMF process. The publicly disclosed proof of concept lowers the barrier to weaponization.
No verified exploit code is reproduced here. See the GitHub Issue Tracker #671 and GitHub Pull Request #666 for technical details of the affected code path.
Detection Methods for CVE-2026-8779
Indicators of Compromise
- Unexpected AMF process crashes, restarts, or panics correlated with inbound NGAP traffic
- NGAP NGSetupRequest messages originating from unknown or unauthorized gNodeB identifiers
- Malformed Information Elements or oversized fields recorded in NGAP packet captures on the N2 interface
Detection Strategies
- Inspect SCTP traffic to the AMF for NGAP messages with abnormal Information Element lengths or structures
- Correlate AMF process termination events with preceding NGAP NGSetupRequest activity in centralized logs
- Validate gNodeB identities and source addresses against an allowlist of authorized RAN nodes
Monitoring Recommendations
- Forward AMF stdout, stderr, and container restart events to a centralized logging platform for anomaly review
- Enable SCTP-aware packet capture on the N2 interface during incident response windows
- Alert on repeated NGAP setup failures from the same peer, which can indicate fuzzing or exploitation attempts
How to Mitigate CVE-2026-8779
Immediate Actions Required
- Upgrade omec-project AMF to version 2.2.0 or later, which contains the upstream fix
- Restrict network reachability to the AMF N2/SCTP interface to known gNodeB peers only
- Audit any exposure of the 5G core control plane to untrusted networks and remove unnecessary paths
Patch Information
The fix is included in the GitHub Release v2.2.0 of omec-project AMF. The relevant code changes are merged through GitHub Pull Request #666, which also addresses additional security issues in the NGAP handling code. Operators tracking development branches should rebase onto the fixed commit and rebuild container images. Additional context is available in VulDB Vulnerability #364403.
Workarounds
- Place the AMF behind a segmentation boundary that filters SCTP traffic to authorized gNodeB endpoints
- Apply strict NGAP peer authentication and IPsec on the N2 interface where supported
- Monitor AMF availability and configure automated restart with rate limiting to reduce denial-of-service impact until patching completes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
