CVE-2026-8783 Overview
CVE-2026-8783 is a null pointer dereference vulnerability in the omec-project Access and Mobility Management Function (AMF) component used in 5G core network deployments. The flaw resides in the UERadioCapabilityCheckResponse function within ngap/dispatcher.go and affects versions up to 2.1.3-dev. An authenticated remote attacker can trigger the dereference, causing the AMF process to crash. The exploit details have been disclosed publicly. The maintainers fixed the issue in version 2.2.0 through a single pull request that addresses multiple related defects.
Critical Impact
Successful exploitation crashes the AMF process, disrupting 5G signaling and mobility management for connected user equipment.
Affected Products
- omec-project AMF versions up to and including 2.1.3-dev
- 5G core deployments using the vulnerable ngap/dispatcher.go handler
- Downstream distributions packaging the affected AMF release
Discovery Timeline
- 2026-05-18 - CVE-2026-8783 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8783
Vulnerability Analysis
The AMF is the control-plane network function responsible for registration, connection, and mobility management between user equipment (UE) and the 5G core. CVE-2026-8783 is categorized under [CWE-404] (improper resource shutdown or release) and manifests as a null pointer dereference inside the UERadioCapabilityCheckResponse handler in ngap/dispatcher.go. When the dispatcher processes a malformed or unexpected NG Application Protocol (NGAP) message, a required pointer is not validated before use. The resulting dereference terminates the AMF process and disrupts ongoing UE sessions until the service is restarted.
Root Cause
The root cause is missing input validation on fields parsed from an inbound UERadioCapabilityCheckResponse NGAP message. The handler assumes downstream objects are non-nil and dereferences them directly. A peer sending a response that omits or malforms an expected information element causes Go to panic on a nil dereference, halting the goroutine and crashing the AMF.
Attack Vector
The attack is delivered over the network through the N2 interface where the AMF terminates NGAP sessions with gNodeB peers. An attacker who has gained low-privilege access to a gNB peer or a position on the signaling path can craft and send a malformed UERadioCapabilityCheckResponse message. Network reachability to the AMF NGAP endpoint and an established SCTP association are required. The result is a denial of service against the AMF function. No code execution or data disclosure is involved.
No verified public exploit code has been catalogued for this issue. Technical specifics are tracked in the omec-project AMF Issue #675 and the corresponding Pull Request #666.
Detection Methods for CVE-2026-8783
Indicators of Compromise
- Unexpected AMF process restarts or Go runtime panic traces referencing ngap/dispatcher.go and UERadioCapabilityCheckResponse
- SCTP association resets between AMF and gNB peers immediately following malformed NGAP traffic
- Spikes in UE re-registration attempts coinciding with AMF service interruptions
Detection Strategies
- Monitor AMF container or pod logs for Go panic stack traces that reference the NGAP dispatcher path
- Inspect NGAP traffic on the N2 interface for UERadioCapabilityCheckResponse messages with missing or malformed information elements
- Correlate AMF crashes with NGAP peer source addresses to identify the originating gNB or signaling endpoint
Monitoring Recommendations
- Enable health-check probes and crash-loop alerts for AMF pods in Kubernetes deployments
- Forward NGAP packet captures and AMF logs to a central analytics pipeline for retention and correlation
- Track SCTP association uptime metrics between AMF and each connected gNB peer
How to Mitigate CVE-2026-8783
Immediate Actions Required
- Upgrade omec-project AMF to version 2.2.0, which includes the fix delivered in Pull Request #666
- Inventory all 5G core deployments to identify AMF instances running 2.1.3-dev or earlier
- Restrict N2 interface reachability to authenticated and trusted gNB peers only
Patch Information
The fix is shipped in the omec-project AMF v2.2.0 release. The same pull request resolves several additional defects, so operators should apply the full upgrade rather than backporting individual changes. Verify the upgrade by confirming the AMF binary version and reviewing the merged commits referenced in the release notes.
Workarounds
- Apply network segmentation to limit NGAP/SCTP access to vetted gNB endpoints
- Deploy AMF with automatic restart policies (for example, Kubernetes liveness probes) to reduce service downtime if a crash occurs
- Enforce mutual authentication and IPsec on the N2 interface where supported by the deployment
# Verify installed omec-project AMF version and upgrade reference
amfctl version
# Expected output should report version 2.2.0 or later after upgrade
# Source: https://github.com/omec-project/amf/releases/tag/v2.2.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
