CVE-2024-24442

High

Published: 21 January 2025

Published

21 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0028 51.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A NULL pointer dereference in the ngap_app::handle_receive routine of OpenAirInterface CN5G AMF (oai-cn5g-amf) up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a crafted NGAP message.

Security Summary

CVE-2024-24442 is a NULL pointer dereference vulnerability in the ngap_app::handle_receive routine of OpenAirInterface CN5G AMF (oai-cn5g-amf) versions up to v2.0.0. This flaw, classified under CWE-476, enables attackers to trigger a Denial of Service (DoS) condition through a specially crafted NGAP message. The vulnerability carries a CVSS v3.1 base score of 7.5, reflecting its high impact on availability with no effects on confidentiality or integrity.

Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. By sending a malicious NGAP message to the affected AMF component, an unauthenticated adversary can cause the application to crash, disrupting service availability in 5G core network environments relying on OpenAirInterface.

Mitigation details and patches are referenced in advisories available at http://openairinterface.com and https://cellularsecurity.org/ransacked. Security practitioners should consult these sources for upgrade guidance beyond oai-cn5g-amf v2.0.0.

Details

CWE(s): CWE-476

References

http://openairinterface.com
cve@mitre.org
https://cellularsecurity.org/ransacked
cve@mitre.org
https://cellularsecurity.org/ransacked
134c704f-9b21-4f2e-91b3-4a467353bcc0