CVE-2026-33903 Overview
CVE-2026-33903 is a Null Pointer Dereference vulnerability affecting Ella Core, a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message due to missing null checks on Information Elements (IEs). An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers.
Critical Impact
Successful exploitation results in complete denial of service for all 5G subscribers connected to the affected Ella Core instance, potentially disrupting critical private network communications.
Affected Products
- Ella Core versions prior to 1.7.0
- 5G private network deployments using vulnerable Ella Core versions
- NGAP (NG Application Protocol) handlers in AMF (Access and Mobility Management Function)
Discovery Timeline
- 2026-03-27 - CVE-2026-33903 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33903
Vulnerability Analysis
This vulnerability stems from improper input validation in the NGAP Location Report handler within Ella Core's AMF implementation. The affected code fails to verify whether the AreaOfInterestList Information Element is present before attempting to iterate over its contents. When a malformed NGAP LocationReport message is received without the expected IEs, the handler attempts to access a nil pointer, causing the Go runtime to panic and crash the entire process.
The vulnerability is classified as CWE-476 (NULL Pointer Dereference). The attack requires adjacent network access, meaning an attacker must be able to reach the NGAP interface, which is typically exposed on the N2 interface between the gNB (5G base station) and the AMF. While this limits the attack surface compared to internet-facing vulnerabilities, compromised or malicious radio equipment within the network perimeter could readily exploit this flaw.
Root Cause
The root cause is the absence of null pointer guards before dereferencing the locationReportingRequestType.AreaOfInterestList field and related UE association data structures. The NGAP protocol allows optional Information Elements, but the handler implementation assumed these fields would always be populated when processing LocationReport messages.
A secondary issue exists in the NG Reset handler where improper control flow allows code execution to continue after encountering a nil ranUe reference, potentially leading to additional dereference issues.
Attack Vector
The attack vector requires adjacent network access to the NGAP interface. An attacker with access to the N2 interface (typically between the gNB and AMF) can craft malicious NGAP LocationReport messages that omit required Information Elements. When the AMF processes these malformed messages, the null pointer dereference triggers a panic, terminating the Ella Core process and disconnecting all subscribers.
// Security patch - Added null check for AreaOfInterestList
// Source: https://github.com/ellanetworks/core/commit/ec77a2ad4508f8488cb356fd45b2f1efd92587f8
break
}
+ if locationReportingRequestType.AreaOfInterestList == nil {
+ logger.WithTrace(ctx, ranUe.Log).Warn("AreaOfInterestList is nil, skipping area matching")
+ break
+ }
+
for _, uEPresenceInAreaOfInterestItem := range uEPresenceInAreaOfInterestList.List {
uEPresence := uEPresenceInAreaOfInterestItem.UEPresence.Value
referenceID := uEPresenceInAreaOfInterestItem.LocationReportingReferenceID.Value
Source: GitHub Commit Update
// Security patch - Fixed control flow in NG Reset handler
// Source: https://github.com/ellanetworks/core/commit/ec77a2ad4508f8488cb356fd45b2f1efd92587f8
if ueAssociatedLogicalNGConnectionItem.RANUENGAPID != nil {
logger.WithTrace(ctx, ran.Log).Warn("RANUENGAPID is not empty", zap.Int64("RanUeNgapID", ueAssociatedLogicalNGConnectionItem.RANUENGAPID.Value))
}
+
+ continue
}
err := ranUe.Remove()
Source: GitHub Commit Update
Detection Methods for CVE-2026-33903
Indicators of Compromise
- Unexpected Ella Core process terminations or restarts in system logs
- Go runtime panic messages referencing handle_location_report.go or handle_ng_reset.go in crash dumps
- Sudden mass disconnection of 5G subscribers without network infrastructure issues
- NGAP LocationReport messages with missing or malformed Information Elements in packet captures
Detection Strategies
- Monitor Ella Core process health and implement alerting on unexpected process terminations
- Deploy network intrusion detection rules to identify malformed NGAP messages targeting the AMF
- Analyze NGAP traffic for LocationReport messages with anomalous or missing IE structures
- Implement log correlation to detect patterns of repeated crashes coinciding with specific NGAP message types
Monitoring Recommendations
- Enable verbose logging on the NGAP handler to capture details of incoming messages before processing
- Set up process monitoring with automatic restart capabilities to minimize downtime during attacks
- Monitor N2 interface traffic for unusual patterns or sources of NGAP messages
- Implement rate limiting on NGAP message processing to slow potential denial of service attacks
How to Mitigate CVE-2026-33903
Immediate Actions Required
- Upgrade Ella Core to version 1.7.0 or later immediately
- Review and restrict network access to the N2/NGAP interface to trusted gNB equipment only
- Implement network segmentation to isolate the AMF from untrusted network segments
- Enable process supervision to automatically restart Ella Core in case of crashes
Patch Information
Ella Networks has released version 1.7.0 which adds guards in the NGAP Location Report handler to prevent null pointer dereferences. The patch adds explicit nil checks before accessing optional Information Elements and corrects control flow issues in the NG Reset handler. Organizations should upgrade to this version through their standard deployment process.
For detailed patch information, refer to the GitHub Security Advisory GHSA-f2f3-9cx3-wcmf and the GitHub Release v1.7.0.
Workarounds
- Implement firewall rules to restrict NGAP traffic to known, trusted gNB IP addresses only
- Deploy a network-level proxy or filter that validates NGAP message structure before forwarding to Ella Core
- Enable process monitoring and automatic restart to reduce downtime if exploitation occurs
- Consider deploying redundant AMF instances to maintain service availability during potential attacks
# Configuration example - Restrict NGAP interface access
# Allow only trusted gNB addresses to reach the AMF NGAP port
# Example iptables rules to restrict N2 interface access
iptables -A INPUT -p sctp --dport 38412 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
# Enable process monitoring with systemd
systemctl enable ella-core
systemctl edit ella-core --force
# Add: Restart=always and RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
