Executive Summary

CVE-2026-33904 is a deadlock vulnerability in the SCTP (Stream Control Transmission Protocol) connection cleanup process within the AMF (Access and Mobility Function) component of the Ella Core 5G core software, versions prior to 1.7.0.

The deadlock occurs in the SCTP notification handler, causing the entire AMF control plane to hang indefinitely until the process is manually restarted.

An attacker with access to the N2 interface (the interface between the AMF and the Radio Access Network) can exploit this vulnerability to cause the system to hang, resulting in a denial of service.

The root cause is a deadlock condition where multiple threads or executable segments wait on each other to release locks during SCTP connection cleanup.

The fix in version 1.7.0 adds deferred radio cleanup in the SCTP server's serveConn function to ensure every connection exit path removes the radio resource and removes the stale-entry scan from SCTP notification handling to prevent the deadlock.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the entire AMF control plane in the Ella Core 5G core to hang indefinitely, resulting in a denial of service (DoS) for all subscribers managed by the AMF.

Since the AMF is a critical component managing access and mobility functions, its unavailability means that subscribers cannot be served, effectively disrupting network services.

The attack requires only access to the N2 interface and no special privileges or user interaction, making it relatively easy to exploit.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the AMF control plane in Ella Core to hang indefinitely due to a deadlock in the SCTP notification handler. Detection can focus on monitoring the AMF process for unresponsiveness or hangs, especially related to SCTP connections on the N2 interface.

Suggested detection methods include checking if the AMF process is hung or not responding and monitoring SCTP connection states on the N2 interface.

• Use system process monitoring commands like `ps`, `top`, or `htop` to check if the AMF process is running and responsive.
• Use `netstat -anp | grep sctp` or `ss -sctp` to monitor SCTP connections and their states on the system.
• Check logs of the AMF component for repeated SCTP notification handling or deadlock-related messages.
• If possible, use application-specific debugging or health check endpoints to verify AMF responsiveness.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Ella Core to version 1.7.0 or later, where the vulnerability is fixed by adding deferred radio cleanup in the SCTP server's serveConn function and removing the stale-entry scan from SCTP notification handling.

Until the upgrade can be applied, consider monitoring and restarting the AMF process if it becomes unresponsive to reduce downtime caused by the deadlock.

Restrict access to the N2 interface to trusted entities only, as the vulnerability can be exploited by an attacker with access to this interface.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability described in CVE-2026-33904 causes a denial of service (DoS) by hanging the AMF control plane, but it does not impact confidentiality or integrity of data.

Since the CVSS metrics indicate no confidentiality or integrity impact (C:N, I:N), the vulnerability primarily affects availability.

There is no information provided about direct effects on compliance with standards such as GDPR or HIPAA, which typically focus on data confidentiality and integrity.

Therefore, while the DoS could affect service availability, there is no explicit indication that this vulnerability causes non-compliance with common data protection regulations.

Useful 0 Not Useful 0