CVE-2026-8782 Overview
CVE-2026-8782 is a null pointer dereference vulnerability in the omec-project Access and Mobility Management Function (AMF) implementation, affecting versions up to 2.1.3-dev. The flaw resides in an unknown function within ngap/handler.go, part of the NG Application Protocol (NGAP) Message Handler component. Remote attackers with low privileges can trigger the dereference by sending crafted NGAP messages to the AMF, causing a process crash. The issue is tracked under CWE-404: Improper Resource Shutdown or Release. The omec-project maintainers addressed this issue in version 2.2.0 through a pull request that resolves multiple security issues simultaneously.
Critical Impact
A remote authenticated attacker can crash the AMF service by sending malformed NGAP messages, disrupting 5G core network signaling and mobility management for connected user equipment.
Affected Products
- omec-project AMF versions up to and including 2.1.3-dev
- Component: NGAP Message Handler (ngap/handler.go)
- Fixed in omec-project AMF v2.2.0
Discovery Timeline
- 2026-05-18 - CVE-2026-8782 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8782
Vulnerability Analysis
The omec-project AMF is an open-source 5G core network component implementing 3GPP-defined Access and Mobility Management Function behavior. NGAP is the control plane signaling protocol between the AMF and the Next Generation Radio Access Network (NG-RAN). The vulnerability occurs in the NGAP message processing path within ngap/handler.go, where input from incoming NGAP messages is dereferenced without confirming non-null state.
When the AMF receives a malformed or unexpected NGAP message, the handler accesses a pointer field that the message did not populate. The Go runtime then raises a nil pointer panic, terminating the AMF process. The issue is classified under CWE-404, reflecting improper resource handling during message parsing. The exploit prediction scoring places this at a low probability of opportunistic exploitation in the wild.
Root Cause
The root cause is missing validation of pointer-typed fields in decoded NGAP Protocol Data Units (PDUs) before they are accessed in the handler logic. The fix in Pull Request #666 addresses this and other related issues in NGAP processing.
Attack Vector
Exploitation requires network reachability to the AMF NGAP endpoint and low-privilege access sufficient to deliver a crafted NGAP message. In typical 5G core deployments, this means an attacker positioned within the operator's signaling network or a compromised gNodeB. No user interaction is needed. A public proof-of-concept is referenced in the VulDB entry #364406. See the GitHub Issue #674 for additional technical context.
Detection Methods for CVE-2026-8782
Indicators of Compromise
- Unexpected AMF process crashes or restart loops with Go runtime panic traces referencing ngap/handler.go
- NGAP signaling disruptions affecting User Equipment (UE) registration and mobility procedures
- Anomalous NGAP messages originating from a single gNodeB peer immediately preceding AMF termination
Detection Strategies
- Monitor AMF container or process exit codes and panic logs for nil pointer dereference stack traces
- Inspect NGAP message flows for malformed or non-conforming PDUs against 3GPP TS 38.413 specifications
- Correlate gNodeB session resets with AMF restart events in the orchestration platform
Monitoring Recommendations
- Forward AMF stdout/stderr and Kubernetes pod events to a centralized logging platform for panic detection
- Track NGAP control plane health metrics including message decode failures and peer reset rates
- Alert on AMF pod restart counts exceeding baseline thresholds within short observation windows
How to Mitigate CVE-2026-8782
Immediate Actions Required
- Upgrade omec-project AMF to version 2.2.0 or later, which contains the fix from Pull Request #666
- Restrict network access to the AMF NGAP listener so only authorized gNodeB peers can establish SCTP associations
- Review NGAP peer authentication and validate that only trusted RAN elements participate in signaling
Patch Information
The upstream fix is included in omec-project AMF release v2.2.0. The same pull request resolves multiple security issues in the NGAP handler, so operators should apply the full release rather than back-porting individual changes. Refer to the omec-project AMF repository for build and deployment instructions.
Workarounds
- Apply strict network segmentation around the AMF, limiting NGAP SCTP connectivity to authenticated gNodeB endpoints
- Deploy AMF instances with automated restart policies and horizontal redundancy to limit service disruption during a crash
- Enable detailed NGAP message logging to support rapid forensic review if a crash occurs
# Configuration example: pin omec-project AMF to the fixed version
# Helm values snippet for omec-project AMF deployment
image:
repository: registry.aetherproject.org/omecproject/5gc-amf
tag: v2.2.0
pullPolicy: IfNotPresent
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
