CVE-2026-9300 Overview
CVE-2026-9300 is a memory corruption vulnerability affecting the omec-project Access and Mobility Management Function (AMF) component up to version 2.1.1. The flaw resides in the NGSetupRequest handler and is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). An attacker with low privileges can trigger the issue remotely over the network. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic exploitation against exposed 5G core deployments.
Critical Impact
Remote attackers can corrupt memory in the AMF process by sending crafted NGSetupRequest messages, potentially impacting the availability and integrity of 5G core network services.
Affected Products
- omec-project AMF versions up to and including 2.1.1
- 5G core deployments based on the ONF/omec-project AMF component
- Downstream distributions and integrations bundling the vulnerable AMF release
Discovery Timeline
- 2026-05-23 - CVE-2026-9300 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9300
Vulnerability Analysis
The omec-project AMF is the 5G control-plane element responsible for registration, connection, and mobility management between gNodeBs and the 5G core. The NGSetupRequest is the first NGAP message exchanged when a gNB establishes an NG interface with the AMF. CVE-2026-9300 stems from improper boundary handling inside this handler, allowing malformed input to corrupt adjacent memory structures.
Because the AMF accepts NGAP traffic from peer gNodeBs over SCTP, any actor that can reach the NG interface and present minimal authenticated context can submit a crafted setup request. The resulting memory corruption may lead to denial of service of the AMF process and, depending on memory layout, influence integrity of in-process state. Public disclosure of the exploit path raises the operational risk for telecommunications operators running unpatched builds.
Root Cause
The root cause is a memory safety defect in the NGAP NGSetupRequest parsing routine, where attacker-controlled fields are processed without sufficient bounds enforcement. The condition maps directly to CWE-119. Technical specifics are tracked in GitHub Issue #679 and addressed in Pull Request #666.
Attack Vector
An attacker reaches the AMF over the NG interface, typically transported over SCTP, and submits a malformed NGSetupRequest from a rogue or compromised gNodeB. Successful exploitation requires network reachability to the AMF and low-level access consistent with a peering NG node. No user interaction is required.
No verified proof-of-concept code is published in the referenced advisories. See the omec-project AMF repository and VulDB entry #365247 for tracked technical details.
Detection Methods for CVE-2026-9300
Indicators of Compromise
- Unexpected AMF process crashes, restarts, or core dumps correlated with inbound NGAP traffic
- Malformed or oversized NGSetupRequest messages observed on SCTP port 38412 between gNB peers and the AMF
- NG interface session resets immediately following peer association from unfamiliar gNB identifiers
Detection Strategies
- Inspect NGAP message structure at the network edge to validate NGSetupRequest length and field conformance against 3GPP TS 38.413
- Correlate AMF container or pod restart events with preceding NGAP connection attempts in 5G core logs
- Baseline expected gNB peers and alert on NG associations from unauthorized source addresses or PLMN identifiers
Monitoring Recommendations
- Forward AMF application logs, SCTP association events, and Kubernetes pod lifecycle events to a centralized analytics platform
- Monitor for repeated short-lived NGAP associations from a single peer, which can indicate iterative exploit attempts
- Track CPU, memory, and crash metrics on AMF workloads to detect anomalies consistent with memory corruption
How to Mitigate CVE-2026-9300
Immediate Actions Required
- Inventory all omec-project AMF deployments and identify instances running version 2.1.1 or earlier
- Restrict NG interface reachability to known gNodeB peer addresses using network policy or firewall rules
- Apply the upstream fix from Pull Request #666 once incorporated into a tagged release
- Enable SCTP-level peer validation and IPsec where supported between gNB and AMF endpoints
Patch Information
The remediation is tracked in omec-project AMF Pull Request #666, which addresses the NGSetupRequest handler. Operators should rebuild AMF container images from a commit incorporating this fix and roll out updated workloads through their existing 5G core CI/CD pipeline. Additional context is available in GitHub Issue #679 and VulDB #365247.
Workarounds
- Place the AMF behind a 5G-aware security gateway capable of validating NGAP message structure
- Limit SCTP exposure of the AMF to dedicated transport networks rather than shared or routable segments
- Implement strict allowlists for gNB peers at the SCTP and IP layers until patched builds are deployed
# Example: restrict SCTP/38412 ingress to known gNB peers using iptables
iptables -A INPUT -p sctp --dport 38412 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
