Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.5

Ella Core Crashes on Invalid NGAP Message IDs

GHSA-q669-4gmv-g8mf CVE-2026-33281 GO-2026-4783
Summary

Ella Core may crash if it receives a specially crafted NGAP message with an invalid PDU Session ID. This could cause a service disruption for connected subscribers. To protect against this, update Ella Core to the latest version, which includes improved validation for these messages.

What to do
  • Update github.com ellanetworks to version 1.6.0.
  • Update ellanetworks github.com/ellanetworks/core to version 1.6.0.
Affected software
VendorProductAffected versionsFix available
github.com ellanetworks <= 1.6.0 1.6.0
ellanetworks github.com/ellanetworks/core <= 1.6.0 1.6.0
Original title
Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP...
Original description
Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.6.0 added PDU Session ID validations during NGAP message handling.
ghsa CVSS3.1 6.5
Vulnerability type
CWE-129
Published: 24 Mar 2026 · Updated: 24 Mar 2026 · First seen: 19 Mar 2026