Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings
Description
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ella Core 5G core panics on crafted PathSwitchRequest with zero-length security capabilities, allowing unauthenticated remote DoS. Fixed in v1.5.1.
Vulnerability
Details Ella Core, a 5G core for private networks, contains a denial-of-service vulnerability in the Access and Mobility Management Function (AMF). When processing a PathSwitchRequest message, the software does not properly validate the length of the UE Security Capabilities information element, specifically the NR encryption algorithm bitstring and NR integrity protection algorithm bitstring. If these bitstrings are zero-length, the system panics, leading to a crash [1][4].
Exploitation
An attacker with network access to the Ella Core instance can send a crafted NGAP (Next Generation Application Protocol) PathSwitchRequest message with zero-length security capability bitstrings. No authentication is required, and no prior knowledge of the network is necessary beyond the IP address of the AMF. The lack of input validation makes this a trivial remote exploit [1].
Impact
Successful exploitation crashes the Ella Core process, causing a denial of service for all connected subscribers. Since the entire 5G core is contained in a single binary, any disruption affects all users. The attacker can repeatedly send such messages to maintain the denial of service, and recovery requires restarting the service [1][4].
Mitigation
The vulnerability is fixed in Ella Core version 1.5.1, released on 2026-03-12 [3]. Users are strongly advised to upgrade immediately. No workarounds are available. This vulnerability is not known to be exploited in the wild at the time of publication, but given its simplicity, urgent patching is recommended [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ellanetworks/coreGo | < 1.5.1 | 1.5.1 |
Affected products
1- ellanetworks/corev5Range: < 1.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-j478-p7vq-3347ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32320ghsaADVISORY
- github.com/ellanetworks/core/releases/tag/v1.5.1ghsaWEB
- github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4691ghsaWEB
News mentions
0No linked articles in our index yet.