CVE-2026-32320
Received Received - Intake
Denial of Service in Ella Core 5G via NGAP Message Parsing

Publication date: 2026-03-13

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32320
EUVD
EUVD-2026-11724
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ellanetworks ella_core to 1.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32320 is a moderate severity vulnerability affecting versions of the Ella Core Go package prior to 1.5.1. The issue occurs when Ella Core processes a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings. The system attempts to access these bitstrings without validating their length, leading to an out-of-bounds read and causing the application to panic and crash.

An attacker can exploit this remotely by sending crafted NGAP messages without requiring authentication or user interaction, causing a denial of service (DoS) that disrupts service for all connected subscribers.

Impact Analysis

This vulnerability can cause a denial of service by crashing the Ella Core process when it receives specially crafted NGAP messages. As a result, all connected subscribers experience service disruption.

The attack requires low privileges and no authentication, making it relatively easy for an attacker to exploit remotely and cause significant availability issues.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in the Ella Core process when it processes NGAP PathSwitchRequest messages containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings.

Since the vulnerability is triggered by crafted NGAP messages, network traffic analysis tools can be used to inspect NGAP messages for suspicious PathSwitchRequest packets with zero-length NR algorithm bitstrings.

Specific commands are not provided in the available resources, but general approaches include:

  • Checking system logs for Ella Core process crashes or panics.
  • Using packet capture tools (e.g., tcpdump, Wireshark) to filter and analyze NGAP traffic for malformed PathSwitchRequest messages.
  • Implementing monitoring scripts to detect unexpected restarts or downtime of the Ella Core service.
Mitigation Strategies

The immediate mitigation step is to upgrade Ella Core to version 1.5.1 or later, where the vulnerability is fixed by adding length validation checks on the NR algorithm bitstrings in PathSwitchRequest messages.

Until the upgrade can be applied, consider restricting or filtering NGAP traffic to prevent untrusted sources from sending crafted PathSwitchRequest messages that could trigger the crash.

Monitoring the Ella Core service for crashes and restarting it promptly can reduce downtime, but this does not prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart