CVE-2026-32320 Overview
CVE-2026-32320 is a denial of service vulnerability in Ella Core, a 5G core platform designed for private networks. Prior to version 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings. This vulnerability allows an unauthenticated attacker to crash the Ella Core process by sending specially crafted NGAP (NG Application Protocol) messages, resulting in service disruption for all connected subscribers.
Critical Impact
An unauthenticated remote attacker can cause complete service disruption for all subscribers connected to the 5G private network by crashing the Ella Core process with a single malformed NGAP message.
Affected Products
- Ellanetworks Ella Core versions prior to 1.5.1
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-32320 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32320
Vulnerability Analysis
This vulnerability stems from improper input validation when Ella Core processes NGAP PathSwitchRequest messages. The NGAP protocol is a critical component in 5G networks, handling communication between the Access and Mobility Management Function (AMF) and the Radio Access Network (RAN). When a PathSwitchRequest message contains UE Security Capabilities with zero-length bitstrings for NR encryption or integrity protection algorithms, the application fails to handle this edge case gracefully.
Instead of properly validating the length of these security capability fields before processing, Ella Core attempts to read data that doesn't exist, triggering a panic condition. The panic causes the entire Ella Core process to terminate, affecting all subscribers currently connected to the private 5G network. The vulnerability is classified under CWE-125 (Out-of-Bounds Read), as the application reads memory beyond the valid boundaries of the provided data structure.
Root Cause
The root cause of this vulnerability is insufficient bounds checking when parsing UE Security Capabilities within NGAP PathSwitchRequest messages. The code assumes that the NR encryption and integrity protection algorithm bitstrings will contain valid data without first verifying their length. When zero-length bitstrings are provided, the subsequent read operation accesses invalid memory locations, causing the application to panic and terminate.
Attack Vector
The attack can be executed remotely over the network without any authentication requirements. An attacker with network access to the Ella Core instance can craft a malicious NGAP PathSwitchRequest message with zero-length UE Security Capability bitstrings. When Ella Core processes this message, it immediately crashes, causing a denial of service condition.
The attack is particularly impactful because:
- No authentication is required to send NGAP messages
- A single malformed message can crash the entire service
- All connected subscribers lose connectivity when the process terminates
- The attacker can repeatedly trigger the crash to maintain the denial of service
For detailed technical information about this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32320
Indicators of Compromise
- Unexpected Ella Core process crashes or restarts
- Log entries indicating panic conditions during NGAP message processing
- NGAP PathSwitchRequest messages with malformed or zero-length UE Security Capability fields
- Sudden loss of connectivity for all 5G subscribers in the private network
Detection Strategies
- Monitor Ella Core process health and automatically alert on unexpected terminations
- Implement network traffic analysis to identify malformed NGAP messages with invalid UE Security Capability structures
- Deploy intrusion detection rules to flag PathSwitchRequest messages with zero-length security capability bitstrings
- Enable verbose logging on NGAP message processing to capture details before crash events
Monitoring Recommendations
- Configure process monitoring to detect and alert on Ella Core crashes with automatic restart capabilities
- Implement NGAP protocol-aware network monitoring at network boundaries
- Set up anomaly detection for unusual patterns in PathSwitchRequest message volumes or structures
- Monitor system logs for panic-related entries associated with NGAP processing
How to Mitigate CVE-2026-32320
Immediate Actions Required
- Upgrade Ella Core to version 1.5.1 or later immediately
- Implement network segmentation to restrict access to NGAP interfaces from untrusted sources
- Deploy network-level filtering to validate NGAP message structure before reaching Ella Core
- Enable process monitoring with automatic restart capabilities to minimize downtime during attacks
Patch Information
This vulnerability is fixed in Ella Core version 1.5.1. Organizations should upgrade to this version or later as the primary remediation strategy. The security advisory and patch details are available at the GitHub Security Advisory.
Workarounds
- Implement firewall rules to restrict NGAP protocol access to trusted RAN equipment only
- Deploy a protocol-aware proxy or gateway to validate NGAP messages before forwarding to Ella Core
- Configure network ACLs to limit source IP addresses that can communicate with the AMF interface
- If immediate patching is not possible, consider running multiple Ella Core instances behind a load balancer for redundancy
# Example firewall configuration to restrict NGAP access
# Replace <TRUSTED_RAN_IP> with actual trusted RAN IP addresses
iptables -A INPUT -p sctp --dport 38412 -s <TRUSTED_RAN_IP> -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
