CVE-2026-8781 Overview
CVE-2026-8781 is a null pointer dereference vulnerability in the omec-project Access and Mobility Management Function (AMF) component, affecting versions up to 2.1.3-dev. The flaw resides in the RANConfiguration function within ngap/handler.go. An authenticated remote attacker can trigger the dereference by sending crafted NGAP messages, causing the AMF process to crash. A public exploit has been released. The issue is classified under CWE-404 (Improper Resource Shutdown or Release) and is resolved in version 2.2.0.
Critical Impact
A remote, low-privileged attacker can crash the AMF service, disrupting 5G core mobility management and degrading availability across connected radio access network nodes.
Affected Products
- omec-project AMF versions up to and including 2.1.3-dev
- 5G core deployments using the affected ngap/handler.goRANConfiguration function
- Open Mobile Evolved Core (OMEC) 5G core network deployments
Discovery Timeline
- 2026-05-18 - CVE-2026-8781 published to NVD
- 2026-05-18 - Last updated in NVD database
- omec-project AMF v2.2.0 - Patch released via GitHub Pull Request #666
Technical Details for CVE-2026-8781
Vulnerability Analysis
The vulnerability resides in the RANConfiguration function in ngap/handler.go, part of the omec-project AMF. The AMF processes NG Application Protocol (NGAP) messages exchanged with gNodeB radio access network nodes. When parsing a specific RAN configuration message, the handler dereferences a pointer without validating that the referenced object was successfully initialized. An attacker sending a malformed or unexpected NGAP message triggers the null dereference. The result is an immediate process crash, terminating active sessions and disrupting mobility management. Because the AMF is a central control-plane function in 5G core networks, an outage cascades to subscriber registration, handover, and session continuity.
Root Cause
The defect maps to CWE-404, reflecting improper handling of resources during NGAP message processing. The RANConfiguration handler does not validate that internal data structures are non-nil before invoking methods or accessing fields on them. Go runtime semantics convert such an access into a panic, which propagates and terminates the AMF process unless recovered. See the GitHub Issue #673 and Pull Request #666 for the maintainer's analysis and remediation.
Attack Vector
Exploitation requires network reachability to the AMF NGAP interface and low-level privileges sufficient to deliver an NGAP message. A compromised or malicious gNodeB, or any attacker able to interpose on the N2 interface, can submit a crafted RAN configuration message to invoke the vulnerable path. User interaction is not required. A public proof-of-concept is referenced in the VulDB entry #364405.
No verified exploit code is available for inclusion. Refer to the omec-project AMF repository for the patched implementation.
Detection Methods for CVE-2026-8781
Indicators of Compromise
- Unexpected AMF process crashes or panics referencing ngap/handler.go and the RANConfiguration function in service logs.
- Repeated NGAP session resets or N2 interface re-establishment events from one or more gNodeB peers.
- Sudden drops in registered UE counts coinciding with malformed NGAP message receipts.
Detection Strategies
- Monitor AMF container logs for Go runtime panic traces containing nil pointer dereference and stack frames within ngap package handlers.
- Inspect NGAP traffic for malformed RANConfiguration or RAN configuration update messages with missing or invalid information elements.
- Correlate AMF restart events with upstream gNodeB connections to identify the source peer triggering the fault.
Monitoring Recommendations
- Alert on AMF pod or process restart frequency exceeding baseline within Kubernetes or systemd telemetry.
- Capture NGAP packet traces at the N2 interface for forensic review when crashes occur.
- Track the running AMF version across the cluster to confirm that all instances are on 2.2.0 or later.
How to Mitigate CVE-2026-8781
Immediate Actions Required
- Upgrade omec-project AMF to version 2.2.0 or later as published in the v2.2.0 release.
- Restrict N2 interface access to authenticated, trusted gNodeB peers using network segmentation and firewall rules.
- Review AMF deployment manifests and container images to confirm no pinned references to vulnerable 2.1.3-dev or earlier builds remain.
Patch Information
The maintainers resolved the issue in omec-project AMF v2.2.0. The fix is included in Pull Request #666, which addresses multiple related security issues including the null pointer dereference in the RANConfiguration handler. Operators should rebuild and redeploy AMF container images from the tagged release.
Workarounds
- Apply strict access controls on the N2 SCTP interface to permit only known gNodeB IP addresses.
- Deploy AMF instances behind a network policy that filters unexpected NGAP message types until patching completes.
- Enable automated AMF pod restart and health checks to limit downtime if the crash is triggered before upgrade.
# Configuration example: pin omec-project AMF to the patched release
# Update Helm chart or Kubernetes manifest image tag
image:
repository: omecproject/amf
tag: "v2.2.0"
# Verify deployed version after rollout
kubectl get pods -n omec -l app=amf -o jsonpath='{.items[*].spec.containers[*].image}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
