CVE-2026-33907 Overview
CVE-2026-33907 is a Null Pointer Dereference vulnerability affecting Ella Core, a 5G core network solution designed for private networks. Versions prior to 1.7.0 are vulnerable to a denial of service condition when processing Authentication Response and Authentication Failure NAS (Non-Access Stratum) messages that are missing required Information Elements (IEs). An attacker with adjacent network access can send specially crafted NAS messages to the Ella Core process, causing it to panic and crash.
Critical Impact
This vulnerability enables unauthenticated attackers on adjacent networks to crash the entire 5G core process, resulting in complete service disruption for all connected subscribers without any authentication requirements.
Affected Products
- Ella Core versions prior to 1.7.0
- Ella Networks 5G Core Private Network deployments
- Environments processing NAS authentication messages
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33907 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33907
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference). The Ella Core AMF (Access and Mobility Management Function) component fails to validate the presence of required Information Elements in NAS authentication messages before attempting to process them. When Authentication Response or Authentication Failure messages arrive without the expected AuthenticationResponseParameter or AuthenticationFailureParameter IEs, the code attempts to dereference these nil pointers, triggering a Go runtime panic that crashes the entire process.
The vulnerability requires adjacent network access, meaning an attacker must be on the same local network segment as the 5G core infrastructure. However, no authentication is required to exploit this flaw, making it particularly dangerous in shared or insufficiently segmented network environments.
Root Cause
The root cause is missing input validation in the NAS message handling code within the AMF component. Specifically, the handle_authentication_response.go and handle_authentication_failure.go files did not verify that required Information Elements were present before calling getter methods on potentially nil pointers. When a malformed NAS message arrives without the expected IE, the subsequent GetRES() or GetAuthenticationFailureParameter() calls attempt to access nil pointer fields, causing the Go runtime to panic.
Attack Vector
The attack exploits the Adjacent Network attack vector. An attacker positioned on the same network segment as the Ella Core deployment can craft malicious NAS messages that omit the required AuthenticationResponseParameter or AuthenticationFailureParameter Information Elements. When these malformed messages are processed by the AMF, the missing validation causes a nil pointer dereference, crashing the core process and disrupting service for all connected 5G subscribers.
// Patch for handle_authentication_failure.go
// Source: https://github.com/ellanetworks/core/commit/52962660e3bd3e23c7e96b0da270ac1e0e705273
return nil
}
+ if msg.AuthenticationFailureParameter == nil {
+ return fmt.Errorf("missing AuthenticationFailureParameter IE for SynchFailure")
+ }
+
auts := msg.GetAuthenticationFailureParameter()
resynchronizationInfo := &models.ResynchronizationInfo{
Auts: hex.EncodeToString(auts[:]),
// Patch for handle_authentication_response.go
// Source: https://github.com/ellanetworks/core/commit/52962660e3bd3e23c7e96b0da270ac1e0e705273
return fmt.Errorf("ue Authentication Context is nil")
}
+ if msg.AuthenticationResponseParameter == nil {
+ return fmt.Errorf("missing AuthenticationResponseParameter IE")
+ }
+
resStar := msg.GetRES()
// Calculate HRES* (TS 33.501 Annex A.5)
Detection Methods for CVE-2026-33907
Indicators of Compromise
- Unexpected Ella Core process crashes or restarts, particularly during authentication procedures
- Go runtime panic messages in logs referencing nil pointer dereference in handle_authentication_response.go or handle_authentication_failure.go
- Service disruption events affecting multiple 5G subscribers simultaneously
- Anomalous NAS message patterns from specific network sources
Detection Strategies
- Monitor Ella Core process health and implement alerting on unexpected process terminations
- Analyze application logs for Go panic stack traces related to authentication handling code paths
- Deploy network intrusion detection systems to identify malformed NAS message patterns
- Implement process restart monitoring to detect repeated crash-restart cycles indicative of active exploitation
Monitoring Recommendations
- Configure centralized logging for all Ella Core instances with real-time alerting on process failures
- Implement application performance monitoring to track AMF component stability metrics
- Monitor network traffic at the 5G core boundary for unusual authentication message patterns
- Deploy SentinelOne Singularity platform for endpoint-level visibility into process behavior and crash events
How to Mitigate CVE-2026-33907
Immediate Actions Required
- Upgrade Ella Core to version 1.7.0 or later immediately
- Implement network segmentation to restrict adjacent network access to 5G core infrastructure
- Configure process supervision to automatically restart Ella Core in case of crashes while patching is in progress
- Review network access controls to limit which systems can send NAS messages to the core
Patch Information
The vulnerability has been addressed in Ella Core version 1.7.0. The fix adds explicit nil pointer checks for required Information Elements before processing NAS authentication messages. The patch is available via the GitHub Release v1.7.0. Additional details are available in the GitHub Security Advisory GHSA-55q8-2gwx-29pc and the GitHub Commit Details.
Workarounds
- Implement strict network segmentation to prevent untrusted systems from having adjacent network access to the 5G core
- Deploy network-level filtering to validate NAS message structure before reaching Ella Core
- Configure firewall rules to restrict sources that can communicate with the AMF component
- Enable process supervision with automatic restart capabilities to minimize downtime during an attack
# Configuration example
# Network segmentation example using iptables to restrict AMF access
# Replace eth0 and IP ranges with your environment specifics
# Allow only trusted management network to access AMF
iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p sctp -j ACCEPT
iptables -A INPUT -i eth0 -p sctp --dport 38412 -j DROP
# Enable process supervision with systemd
systemctl enable ella-core
systemctl set-property ella-core Restart=always
systemctl set-property ella-core RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
