CVE-2026-9298 Overview
CVE-2026-9298 is a memory corruption vulnerability affecting the omec-project Access and Mobility Management Function (AMF) up to version 2.1.1. The flaw resides in the PathSwitchRequest handler component and is classified under [CWE-119] for improper restriction of operations within the bounds of a memory buffer. An attacker with low privileges can trigger the vulnerability remotely over the network. The exploit details are publicly disclosed, increasing the risk of opportunistic use against exposed deployments. A patch is available through the upstream project.
Critical Impact
Remote attackers with low privileges can corrupt memory in the AMF process, potentially impacting confidentiality, integrity, and availability of 5G core network signaling.
Affected Products
- omec-project AMF versions up to and including 2.1.1
- Deployments incorporating the vulnerable PathSwitchRequest handler
- 5G core network environments using the affected ONF/OMEC AMF release
Discovery Timeline
- 2026-05-23 - CVE-2026-9298 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9298
Vulnerability Analysis
The vulnerability exists in an unspecified function of the PathSwitchRequest handler within the omec-project AMF. The AMF is a central component of 5G core networks, responsible for registration, connection management, and mobility procedures. Manipulation of input processed by this handler results in memory corruption within the AMF process. The flaw is reachable over the network and requires only low-level privileges to exploit. Public availability of the exploit raises the probability of in-the-wild testing against exposed AMF endpoints. EPSS estimates currently rate the exploitation probability at 0.046%.
Root Cause
The root cause is improper restriction of operations within memory buffer bounds [CWE-119] in the PathSwitchRequest processing path. The handler fails to validate or constrain attacker-influenced fields before performing memory operations, allowing out-of-bounds access or buffer corruption. Upstream maintainers addressed the issue in Pull Request #666, tracked via Issue #680.
Attack Vector
The attack vector is network-based. An authenticated peer or compromised network function able to send PathSwitchRequest messages to the AMF can deliver a crafted payload that triggers memory corruption. Because the AMF terminates N2/NGAP signaling from gNodeBs, any actor able to reach the N2 interface with valid signaling-layer credentials can attempt exploitation. No user interaction is required.
No verified proof-of-concept code is published for inclusion. Refer to the GitHub Issue Tracker entry and the VulDB record #365245 for technical context.
Detection Methods for CVE-2026-9298
Indicators of Compromise
- Unexpected AMF process crashes, restarts, or core dumps correlated with inbound NGAP signaling
- Malformed or oversized PathSwitchRequest messages on the N2 interface
- Anomalous signaling traffic from gNodeB peers that deviates from baseline message structures
Detection Strategies
- Inspect NGAP traffic for PathSwitchRequest messages with unexpected information element lengths or malformed ASN.1 encoding.
- Correlate AMF crash events with the source IP and timing of inbound signaling messages to identify exploitation attempts.
- Deploy host-based monitoring on AMF nodes to detect segmentation faults, abnormal memory allocations, and process restarts.
Monitoring Recommendations
- Enable verbose NGAP logging in the AMF and forward logs to a centralized SIEM for retention and analysis.
- Track PathSwitchRequest message rates per gNodeB peer and alert on statistical deviations.
- Monitor container or pod restart counts in Kubernetes-based 5G core deployments running omec-project AMF.
How to Mitigate CVE-2026-9298
Immediate Actions Required
- Upgrade omec-project AMF to a version that incorporates the fix from PR #666.
- Restrict N2 interface reachability to authorized gNodeBs using network segmentation and firewall rules.
- Audit any custom forks or downstream builds of the AMF for inclusion of the patch.
Patch Information
The upstream fix is merged through Pull Request #666 in the omec-project/amf repository. Operators should rebuild container images from a patched commit and roll out updated workloads through their CI/CD pipeline. Verify that the patched build is referenced in deployment manifests before promoting to production.
Workarounds
- Place the AMF behind a signaling firewall or NGAP-aware proxy that validates PathSwitchRequest structure before forwarding.
- Limit network exposure of the AMF N2 endpoint to a trusted radio access network management subnet.
- Increase process supervision and automatic restart policies to reduce service disruption while patching is scheduled.
# Example: Restrict N2/NGAP (SCTP 38412) access to trusted gNodeB subnets
iptables -A INPUT -p sctp --dport 38412 -s 10.10.0.0/16 -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
