CVE-2026-8780 Overview
CVE-2026-8780 is a memory corruption vulnerability in the omec-project Access and Mobility Management Function (AMF) component, affecting versions up to 2.1.3-dev. The flaw resides in an unknown function within ngap/dispatcher.go, part of the Next-Generation Application Protocol (NGAP) Message Handler. An attacker with low privileges can trigger the issue remotely over the network. The vulnerability is categorized under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). A public exploit has been disclosed, and the project has released version 2.2.0 to address the issue along with several related security defects in the same pull request.
Critical Impact
Remote attackers with low privileges can corrupt memory in the AMF NGAP message handler, potentially disrupting 5G core network availability.
Affected Products
- omec-project AMF versions up to and including 2.1.3-dev
- Component: NGAP Message Handler (ngap/dispatcher.go)
- 5G core deployments using affected AMF builds
Discovery Timeline
- 2026-05-18 - CVE-2026-8780 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8780
Vulnerability Analysis
The omec-project AMF implements the 3GPP Access and Mobility Management Function used in 5G core networks. The AMF terminates NGAP signaling from gNodeB radio access nodes over the N2 interface. The vulnerable code path lies in ngap/dispatcher.go, which routes incoming NGAP messages to handler functions based on message type.
The weakness is classified as [CWE-119], indicating the affected function performs operations on a memory buffer without properly enforcing its bounds. Processing a malformed or unexpected NGAP message can drive the dispatcher into an out-of-bounds memory access. In a Go runtime, such conditions typically surface as nil dereferences, slice index panics, or corrupted internal state that terminates the AMF process. The public availability of an exploit raises the operational risk of disruption to subscriber registration and mobility procedures.
Root Cause
The root cause is missing or insufficient validation of NGAP message fields before the dispatcher accesses underlying buffers. The pull request that resolves CVE-2026-8780 also fixes multiple related issues, indicating a broader pattern of inadequate input validation in the NGAP parsing and dispatch layer. The affected function in ngap/dispatcher.go is reachable from any peer able to establish an NGAP/SCTP session with the AMF.
Attack Vector
The attack vector is network based. An adversary that can reach the AMF N2 interface, typically a malicious or compromised gNodeB or an attacker with access to the operator's signaling network, can send a crafted NGAP Protocol Data Unit (PDU) to trigger the memory corruption. The CVSS vector requires low privileges (PR:L), reflecting the need for an established NGAP association. No user interaction is required.
No verified proof-of-concept code is published in the referenced advisories. Refer to GitHub Pull Request #666 and GitHub Issue #670 for the upstream fix and technical discussion.
Detection Methods for CVE-2026-8780
Indicators of Compromise
- Unexpected AMF process crashes, panics, or restarts in container or pod logs coinciding with NGAP traffic
- Repeated SCTP association resets from a single gNodeB peer on the N2 interface
- NGAP decode errors or malformed PDU warnings emitted by the AMF logger
- Sudden spikes in failed UE registration or mobility procedures across a tracking area
Detection Strategies
- Inspect AMF container logs for Go runtime panics referencing ngap/dispatcher.go or related NGAP handler frames
- Deploy network monitoring on the N2 interface to flag malformed NGAP messages and abnormal message-type distributions
- Correlate AMF restart events with originating gNodeB identifiers to identify a hostile peer
- Track build versions across the 5G core to identify AMF instances still running 2.1.3-dev or earlier
Monitoring Recommendations
- Alert on AMF pod restart counts exceeding baseline within Kubernetes orchestration platforms
- Forward AMF, SCTP, and NGAP telemetry to a centralized SIEM with retention for post-incident review
- Monitor 5G core key performance indicators such as registration success rate and N2 setup failures for sudden degradation
How to Mitigate CVE-2026-8780
Immediate Actions Required
- Upgrade omec-project AMF to version 2.2.0 or later, which resolves CVE-2026-8780 and related issues fixed in the same pull request
- Inventory all AMF deployments to identify instances running 2.1.3-dev or earlier and prioritize patching
- Restrict N2 interface reachability to authorized gNodeB peers using network segmentation and access control lists
- Review AMF logs for prior crashes that may indicate exploitation attempts
Patch Information
The fix is published in GitHub Release v2.2.0. The corresponding change is tracked in GitHub Pull Request #666, which addresses CVE-2026-8780 along with additional security issues reported in GitHub Issue #670. Operators should rebuild and redeploy AMF container images from the patched release.
Workarounds
- Limit NGAP/SCTP connectivity to the AMF using firewall rules that allow only known gNodeB source addresses
- Deploy IPsec on the N2 interface as recommended by 3GPP to authenticate peers and reduce exposure to untrusted hosts
- Enable AMF process supervision and automatic restart to reduce service downtime if a crash is triggered while patches are deployed
# Configuration example
# Verify the running AMF version and upgrade the container image
kubectl get pods -n omec -l app=amf -o jsonpath='{.items[*].spec.containers[*].image}'
kubectl set image deployment/amf amf=omecproject/5gc-amf:v2.2.0 -n omec
kubectl rollout status deployment/amf -n omec
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
