CVE-2026-8781 — AMF Vulnerable to Improper Resource Shutdown or Release

Description

A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues.

How to fix CVE-2026-8781

To remediate CVE-2026-8781, upgrade the affected package to a fixed version below.

—upgrade to 2.2.0 or later

Is CVE-2026-8781 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-8781
PATCHgithub.com/omec-project/amf
WEBgithub.com/omec-project/amf/issues/673
WEBgithub.com/omec-project/amf/pull/666
WEBgithub.com