CVE-2026-32320
Denial of Service in Ella Core 5G via NGAP Message Parsing
Publication date: 2026-03-13
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ellanetworks | ella_core | to 1.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32320 is a moderate severity vulnerability affecting versions of the Ella Core Go package prior to 1.5.1. The issue occurs when Ella Core processes a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings. The system attempts to access these bitstrings without validating their length, leading to an out-of-bounds read and causing the application to panic and crash.
An attacker can exploit this remotely by sending crafted NGAP messages without requiring authentication or user interaction, causing a denial of service (DoS) that disrupts service for all connected subscribers.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the Ella Core process when it receives specially crafted NGAP messages. As a result, all connected subscribers experience service disruption.
The attack requires low privileges and no authentication, making it relatively easy for an attacker to exploit remotely and cause significant availability issues.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in the Ella Core process when it processes NGAP PathSwitchRequest messages containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings.
Since the vulnerability is triggered by crafted NGAP messages, network traffic analysis tools can be used to inspect NGAP messages for suspicious PathSwitchRequest packets with zero-length NR algorithm bitstrings.
Specific commands are not provided in the available resources, but general approaches include:
- Checking system logs for Ella Core process crashes or panics.
- Using packet capture tools (e.g., tcpdump, Wireshark) to filter and analyze NGAP traffic for malformed PathSwitchRequest messages.
- Implementing monitoring scripts to detect unexpected restarts or downtime of the Ella Core service.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Ella Core to version 1.5.1 or later, where the vulnerability is fixed by adding length validation checks on the NR algorithm bitstrings in PathSwitchRequest messages.
Until the upgrade can be applied, consider restricting or filtering NGAP traffic to prevent untrusted sources from sending crafted PathSwitchRequest messages that could trigger the crash.
Monitoring the Ella Core service for crashes and restarting it promptly can reduce downtime, but this does not prevent exploitation.