CVE-2026-32319 Overview
Ella Core is a 5G core designed for private networks. Prior to version 1.5.1, Ella Core panics when processing a malformed integrity protected NGAP/NAS message with a length under 7 bytes. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in version 1.5.1.
Critical Impact
Unauthenticated remote attackers can cause complete denial of service for all subscribers connected to the 5G private network by sending malformed NAS messages, resulting in immediate process crash and network-wide service disruption.
Affected Products
- Ellanetworks Ella Core versions prior to 1.5.1
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-32319 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32319
Vulnerability Analysis
This vulnerability is classified as an Out-of-Bounds Read (CWE-125) affecting the NGAP/NAS message processing functionality in Ella Core. The flaw occurs when the 5G core software attempts to process integrity protected messages that are shorter than the expected minimum length of 7 bytes.
When a malformed message is received, the application attempts to read beyond the allocated buffer boundaries, triggering a panic condition that immediately terminates the process. This design flaw in input validation allows any network-accessible attacker to disrupt service without requiring any form of authentication or authorization.
The vulnerability is particularly severe in the context of private 5G networks where Ella Core serves as critical infrastructure. A successful exploit results in complete service disruption for all connected subscribers until the process is restarted.
Root Cause
The root cause is insufficient length validation in the NGAP/NAS message parsing routine. The code fails to verify that incoming integrity protected messages meet the minimum required length (7 bytes) before attempting to process the message contents. This missing boundary check allows the parser to read memory outside the allocated message buffer, causing the Go runtime to panic and crash the entire process.
Attack Vector
The attack can be executed remotely over the network without any authentication. An attacker with network access to the Ella Core NAS interface can send specially crafted messages with a length under 7 bytes. The vulnerability requires no user interaction and can be exploited reliably to cause immediate denial of service.
The attack flow consists of:
- Attacker identifies a target Ella Core instance on the network
- Attacker crafts a malformed integrity protected NGAP/NAS message with length under 7 bytes
- Attacker sends the crafted message to the Ella Core NAS processing endpoint
- Ella Core attempts to parse the message and triggers an out-of-bounds read
- The application panics and crashes, disrupting service for all connected subscribers
Detection Methods for CVE-2026-32319
Indicators of Compromise
- Unexpected Ella Core process crashes or restarts in system logs
- NGAP/NAS messages with abnormally short lengths (under 7 bytes) in network traffic captures
- Repeated service disruptions affecting all 5G subscribers simultaneously
- Crash dumps or core files indicating panic conditions in message parsing routines
Detection Strategies
- Monitor Ella Core process health and implement alerting on unexpected terminations
- Deploy network intrusion detection rules to identify NGAP/NAS messages with suspicious payload lengths
- Analyze system logs for panic messages or stack traces related to NAS message processing
- Implement packet inspection at network boundaries to detect malformed 5G signaling traffic
Monitoring Recommendations
- Enable comprehensive logging for all NGAP/NAS message processing activities
- Configure process monitoring to detect and alert on Ella Core crashes within seconds
- Establish baseline metrics for normal message lengths and alert on statistical anomalies
- Deploy network flow analysis to identify sources sending unusually short NAS messages
How to Mitigate CVE-2026-32319
Immediate Actions Required
- Upgrade Ella Core to version 1.5.1 or later immediately
- Implement network segmentation to restrict access to the Ella Core NAS interface
- Deploy intrusion prevention systems capable of blocking malformed NGAP/NAS messages
- Establish automated process restart mechanisms to minimize downtime during attacks
Patch Information
The vulnerability is fixed in Ella Core version 1.5.1. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed patch information and release notes, refer to the GitHub Security Advisory.
Workarounds
- Restrict network access to Ella Core NAS interfaces using firewall rules to trusted sources only
- Deploy a network-level filter or WAF to drop NGAP/NAS messages with payload lengths under 7 bytes
- Implement automatic process restart and monitoring to reduce impact duration of successful exploits
- Consider deploying Ella Core behind a reverse proxy or load balancer capable of basic message validation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
