CVE-2026-33281
MEDIUM
GHSA-q669-4gmv-g8mf
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
## Summary Ella Core panics when processing NGAP messages with invalid PDU Session IDs outside of 1-15. ## Impact An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. ## Fix Added PDU Session ID validations during NGAP message handling.
Analysis
Ella Core contains an input validation flaw that causes the process to panic when receiving NGAP messages with PDU Session IDs outside the valid range of 1-15, enabling unauthenticated attackers to trigger denial of service affecting all connected subscribers. The vulnerability (CWE-129: Improper Validation of Array Index) carries a CVSS score of 6.5 with network-level attack vector and low complexity, though it requires low privilege context according to the vector string. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today