Go modules package
github.com/ellanetworks/core
pkg:golang/github.com/ellanetworks/core
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44474 | low | — | < 1.10.0 | 1.10.0 | May 11, 2026 | ## Summary Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). ## Impact Concurrent Security Mode Command and N2 | |
| CVE-2026-44475 | — | < 1.10.0 | 1.10.0 | May 11, 2026 | ## Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted | ||
| CVE-2026-44473 | hig | — | < 1.10.0 | 1.10.0 | May 11, 2026 | ## Summary A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that rad | |
| CVE-2026-34762 | Low | 2.7 | < 1.8.0 | 1.8.0 | Apr 2, 2026 | Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, the PUT /api/v1/subscriber/{imsi} API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any | |
| CVE-2026-34761 | Med | 5.8 | < 1.8.0 | 1.8.0 | Apr 2, 2026 | Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, Ella Core panics when processing a NGAP handover failure message. An attacker able to cause a gNodeB to send NGAP handover failure messages to Ella Core can crash the process, causing service disruption | |
| CVE-2026-33907 | Med | 6.5 | < 1.7.0 | 1.7.0 | Mar 27, 2026 | Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disrup | |
| CVE-2026-33906 | Hig | 7.2 | < 1.7.0 | 1.7.0 | Mar 27, 2026 | Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production datab | |
| CVE-2026-33904 | Med | 6.5 | < 1.7.0 | 1.7.0 | Mar 27, 2026 | Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, a deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted. An attacker with access to the N2 interface can cause Ella Core to hang, res | |
| CVE-2026-33903 | Med | 6.5 | < 1.7.0 | 1.7.0 | Mar 27, 2026 | Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected sub | |
| CVE-2026-33283 | — | < 1.6.0 | 1.6.0 | Mar 23, 2026 | Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing malformed UL NAS Transport NAS messages without a Request Type. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all | ||
| CVE-2026-33282 | — | < 1.6.0 | 1.6.0 | Mar 23, 2026 | Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing a malformed NGAP LocationReport message with `ue-presence-in-area-of-interest` event type and omitting the optional `UEPresenceInAreaOfInterestList` IE. An attacker able to send c | ||
| CVE-2026-33281 | — | < 1.6.0 | 1.6.0 | Mar 23, 2026 | Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all co | ||
| CVE-2026-32320 | — | < 1.5.1 | 1.5.1 | Mar 12, 2026 | Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacke | ||
| CVE-2026-32319 | — | < 1.5.1 | 1.5.1 | Mar 12, 2026 | Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a malformed integrity protected NGAP/NAS message with a length under 7 bytes. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service d |
- affected < 1.10.0fixed 1.10.0
## Summary Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). ## Impact Concurrent Security Mode Command and N2
- CVE-2026-44475May 11, 2026affected < 1.10.0fixed 1.10.0
## Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted
- affected < 1.10.0fixed 1.10.0
## Summary A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that rad
- affected < 1.8.0fixed 1.8.0
Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, the PUT /api/v1/subscriber/{imsi} API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any
- affected < 1.8.0fixed 1.8.0
Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, Ella Core panics when processing a NGAP handover failure message. An attacker able to cause a gNodeB to send NGAP handover failure messages to Ella Core can crash the process, causing service disruption
- affected < 1.7.0fixed 1.7.0
Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disrup
- affected < 1.7.0fixed 1.7.0
Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production datab
- affected < 1.7.0fixed 1.7.0
Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, a deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted. An attacker with access to the N2 interface can cause Ella Core to hang, res
- affected < 1.7.0fixed 1.7.0
Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected sub
- CVE-2026-33283Mar 23, 2026affected < 1.6.0fixed 1.6.0
Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing malformed UL NAS Transport NAS messages without a Request Type. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all
- CVE-2026-33282Mar 23, 2026affected < 1.6.0fixed 1.6.0
Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing a malformed NGAP LocationReport message with `ue-presence-in-area-of-interest` event type and omitting the optional `UEPresenceInAreaOfInterestList` IE. An attacker able to send c
- CVE-2026-33281Mar 23, 2026affected < 1.6.0fixed 1.6.0
Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all co
- CVE-2026-32320Mar 12, 2026affected < 1.5.1fixed 1.5.1
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacke
- CVE-2026-32319Mar 12, 2026affected < 1.5.1fixed 1.5.1
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a malformed integrity protected NGAP/NAS message with a length under 7 bytes. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service d