CVE-2026-32320
📋 TL;DR
Ella Core 5G private network software crashes when processing crafted NGAP messages with malformed UE Security Capabilities, causing denial of service for all connected subscribers. Attackers can exploit this without authentication by sending specially crafted PathSwitchRequest messages. All Ella Core deployments prior to version 1.5.1 are affected.
💻 Affected Systems
- Ella Core
📦 What is this software?
Ella Core by Ellanetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption for all subscribers on the affected Ella Core instance, requiring manual restart and causing extended 5G service outage.
Likely Case
Intermittent service crashes leading to repeated denial of service for connected subscribers until the system is patched.
If Mitigated
Limited impact if network segmentation prevents external access to NGAP interface, though internal threats could still cause disruption.
🎯 Exploit Status
Exploitation requires sending crafted NGAP messages to the vulnerable interface, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.1
Vendor Advisory: https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download Ella Core 1.5.1 from official repository. 3. Stop Ella Core service. 4. Install version 1.5.1. 5. Restart Ella Core service. 6. Verify service is running and processing traffic normally.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to NGAP interface using firewall rules to only trusted network elements.
iptables -A INPUT -p sctp --dport 38412 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit NGAP interface exposure to only essential network functions
- Deploy intrusion detection systems to monitor for malformed NGAP messages and alert on potential exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Ella Core version: if version is less than 1.5.1, system is vulnerable.Check Version:
Check Ella Core documentation for version command or examine service logs for version informationVerify Fix Applied:
Confirm Ella Core version is 1.5.1 or higher and monitor for process crashes during normal operation.📡 Detection & Monitoring
Log Indicators:
- Ella Core process crashes
- Panic messages in logs related to PathSwitchRequest processing
- Service restart events
Network Indicators:
- Unusual NGAP message patterns
- PathSwitchRequest messages with malformed UE Security Capabilities
SIEM Query:
source="ella_core.log" AND (panic OR crash OR "PathSwitchRequest" AND "zero-length")