CVE-2026-33904 Overview
CVE-2026-33904 is a deadlock vulnerability in Ella Core, a 5G core network solution designed for private networks. The vulnerability exists in the Access and Mobility Management Function (AMF) component's SCTP notification handler, where improper synchronization leads to a deadlock condition that causes the entire AMF control plane to hang until the process is manually restarted.
This vulnerability allows an attacker with access to the N2 interface—the reference point between the Radio Access Network (RAN) and the 5G Core—to trigger a complete denial of service affecting all subscribers connected to the private 5G network.
Critical Impact
An attacker with adjacent network access to the N2 interface can cause the Ella Core AMF to hang indefinitely, resulting in complete denial of service for all 5G subscribers until manual process restart.
Affected Products
- Ella Core versions prior to 1.7.0
- Private 5G network deployments using vulnerable Ella Core AMF
- Systems with exposed N2 interface access
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33904 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33904
Vulnerability Analysis
This vulnerability is classified as CWE-833 (Deadlock), a race condition subtype where two or more threads enter a state in which each is waiting for the other to release a resource, resulting in an indefinite hang. In the context of Ella Core, the deadlock occurs within the AMF's SCTP notification handler, which is responsible for managing Stream Control Transmission Protocol events for 5G signaling between the RAN and core network.
The AMF (Access and Mobility Management Function) is a critical 5G core network function that handles connection and mobility management, authentication, and security procedures. When the deadlock is triggered, the entire control plane becomes unresponsive, preventing new UE registrations, handovers, and session management for all subscribers.
The vulnerability requires adjacent network access, meaning the attacker must have connectivity to the N2 interface—typically an internal network segment—but does not require any authentication or user interaction to exploit.
Root Cause
The root cause of this vulnerability lies in improper resource cleanup handling within the SCTP server's connection management code. Specifically, the stale-entry scanning logic in the SCTP notification handler creates a synchronization conflict with the connection exit paths, resulting in a deadlock condition.
Prior to the fix, the notification handler attempted to clean up stale radio connection entries during event processing, which could conflict with concurrent connection termination operations. This created a circular dependency where each code path waited for locks held by the other.
Attack Vector
The attack exploits the adjacent network attack vector through the N2 interface, which connects the 5G Radio Access Network to the core network. An attacker positioned on the same network segment as the N2 interface can send specially crafted SCTP messages or manipulate connection states to trigger the deadlock condition in the AMF's notification handler.
The attack requires no privileges and no user interaction, making it relatively straightforward to execute once network access is obtained. The impact is limited to availability—no confidentiality or integrity compromise occurs—but the denial of service affects all subscribers relying on the affected 5G core.
The fix implemented in version 1.7.0 addresses this by introducing deferred radio cleanup in the serveConn SCTP server, ensuring every connection exit path properly removes the radio entry without conflicting with notification handling. Additionally, the stale-entry scan was removed from the SCTP notification handling code path, eliminating the source of the deadlock.
Detection Methods for CVE-2026-33904
Indicators of Compromise
- AMF process becomes unresponsive and stops processing new 5G signaling requests
- SCTP connections to the AMF remain open but receive no responses
- Subscriber registration and mobility procedures fail across all connected RAN nodes
- Process monitoring shows AMF threads in blocked/waiting state with no CPU activity
Detection Strategies
- Monitor AMF process health and responsiveness with regular heartbeat checks
- Implement SCTP connection state monitoring for the N2 interface
- Configure alerting for subscriber registration failure rate spikes
- Deploy thread state monitoring to detect deadlock conditions in the AMF process
Monitoring Recommendations
- Enable detailed logging for SCTP notification events and connection lifecycle
- Monitor N2 interface traffic patterns for anomalous connection behavior
- Implement automated process restart mechanisms with deadlock detection
- Configure network segmentation monitoring to detect unauthorized N2 interface access
How to Mitigate CVE-2026-33904
Immediate Actions Required
- Upgrade Ella Core to version 1.7.0 or later immediately
- Restrict network access to the N2 interface to authorized RAN nodes only
- Implement network segmentation to isolate the N2 interface from untrusted network segments
- Configure automated AMF process monitoring and restart procedures as a temporary safeguard
Patch Information
The vulnerability is resolved in Ella Core version 1.7.0, which implements two key fixes: deferred radio cleanup in the serveConn SCTP server ensuring every connection exit path removes the radio entry cleanly, and removal of the stale-entry scan from SCTP notification handling.
The fix is available in GitHub Release v1.7.0. Technical details of the patch can be reviewed in the GitHub Commit Log. For complete vulnerability information, refer to the GitHub Security Advisory GHSA-9h59-p45g-445h.
Workarounds
- Implement strict access control lists on the N2 interface to limit connections to known RAN nodes
- Deploy network monitoring to detect and block anomalous SCTP traffic patterns
- Configure automated process health monitoring with automatic restart capabilities
- Isolate the 5G core network from untrusted network segments using firewall rules
# Example: Restrict N2 interface access using iptables
# Allow only authorized RAN nodes to access AMF SCTP port
iptables -A INPUT -p sctp --dport 38412 -s <AUTHORIZED_RAN_IP_1> -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -s <AUTHORIZED_RAN_IP_2> -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
