CVE-2026-9301 Overview
CVE-2026-9301 is a memory corruption vulnerability affecting the omec-project/amf Access and Mobility Management Function (AMF) implementation up to version 2.1.1. The flaw resides in the NGReset Message Handler component and is triggered by manipulation of unspecified inputs processed by that handler. Exploitation occurs over the network and requires low privileges, with no user interaction. A public exploit description has been published, increasing the likelihood of opportunistic abuse against exposed 5G core deployments. The maintainers have released a patch, and operators running omec-project AMF should upgrade to a fixed release.
Critical Impact
Remote, low-privilege attackers can trigger memory corruption in the AMF NGReset Message Handler, threatening the stability and integrity of 5G core signaling functions [CWE-119].
Affected Products
- omec-project AMF versions up to and including 2.1.1
- Deployments using the affected NGReset Message Handler code path
- 5G core environments integrating the vulnerable omec-project AMF component
Discovery Timeline
- 2026-05-23 - CVE-2026-9301 published to the National Vulnerability Database (NVD)
- 2026-05-26 - Last updated in NVD database
- 2026-05-28 - EPSS scoring published for CVE-2026-9301
Technical Details for CVE-2026-9301
Vulnerability Analysis
The vulnerability is classified as Improper Restriction of Operations within the Bounds of a Memory Buffer [CWE-119]. The defect is located in the NGReset Message Handler inside the omec-project AMF. The AMF is a control plane function in 5G core networks that terminates NAS signaling and N2 (NGAP) procedures from gNodeBs. The NGReset procedure is initiated by a NG-RAN node to reset NGAP signaling state with the AMF. When the handler processes a crafted NGReset message, manipulation of message fields causes memory corruption inside the AMF process. The attack is remotely reachable from any peer that can establish NGAP signaling with the AMF and supply the malformed payload.
Root Cause
The root cause is insufficient validation of input fields parsed by the NGReset Message Handler before they are used in memory operations. Bounds checks on attacker-controlled length or index values are missing or incomplete, allowing reads or writes outside the intended buffer. CWE-119 captures this class of defect, where operations on a memory buffer exceed the buffer's allocated bounds.
Attack Vector
An attacker with network reachability to the AMF's N2 interface and the ability to act as, or pivot from, a peer NG-RAN signaling endpoint can submit a crafted NGReset message. The vulnerability requires low privileges and no user interaction. Successful exploitation produces memory corruption, which can result in process crash, disruption of mobility management for connected UEs, or potential corruption of in-memory signaling state. The exploit has been made public per the VulDB advisory, lowering the barrier for reuse.
No verified proof-of-concept code is published in the referenced sources. See the GitHub Pull Request #666 and GitHub Issue #678 for code-level context on the fix.
Detection Methods for CVE-2026-9301
Indicators of Compromise
- Unexpected restarts, crash loops, or segmentation faults logged by the omec-project AMF process
- Unusual NGAP NGReset messages originating from gNodeB peers, particularly with malformed or oversized information elements
- Loss of NGAP association between AMF and one or more gNBs followed by mass UE re-registration events
Detection Strategies
- Inspect NGAP traffic on the N2 interface for NGReset PDUs with anomalous field lengths or unexpected IE encodings
- Correlate AMF process termination events with preceding inbound NGAP messages to identify causal signaling
- Track version inventory of omec-project/amf deployments and flag instances running 2.1.1 or earlier
Monitoring Recommendations
- Forward AMF container and host logs, including crash dumps and stderr, to a centralized logging pipeline
- Enable NGAP-aware packet capture or flow logging at the N2 boundary for forensic replay
- Alert on repeated NGReset messages from a single gNB peer within short time windows
How to Mitigate CVE-2026-9301
Immediate Actions Required
- Upgrade omec-project AMF to a release that includes the fix referenced in GitHub Pull Request #666
- Restrict N2 interface exposure so that only authorized gNB peers can reach the AMF signaling endpoint
- Audit existing deployments for version 2.1.1 or earlier and prioritize remediation of internet-adjacent instances
Patch Information
The maintainers have published a fix through the upstream project. Review the merged changes in GitHub Pull Request #666 and the originating discussion in GitHub Issue #678. Rebuild or pull container images from the omec-project AMF repository once the fix is incorporated, and redeploy across all AMF replicas. Additional advisory context is available at VulDB Vulnerability #365248.
Workarounds
- Place the AMF behind network policy that enforces strict peer allow-listing on the N2 interface
- Apply IPsec or other transport-layer protection between gNBs and the AMF to limit exposure to untrusted networks
- Monitor and rate-limit NGReset signaling from individual peers to reduce abuse surface until patching completes
# Kubernetes NetworkPolicy example: restrict AMF N2 ingress to known gNB CIDRs
# Replace CIDRs and labels to match your environment
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: amf-n2-restrict
namespace: omec
spec:
podSelector:
matchLabels:
app: amf
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.20.0.0/16
ports:
- protocol: SCTP
port: 38412
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
