Skip to main content

Suse CVE-2026-33282

HIGH
NULL Pointer Dereference (CWE-476)
2026-03-19 https://github.com/ellanetworks/core GHSA-826q-wrq4-p23x
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 18:00 vuln.today
CVE Published
Mar 19, 2026 - 17:47 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

Ella Core panics when processing a malformed NGAP LocationReport message with ue-presence-in-area-of-interest event type and omitting the optional UEPresenceInAreaOfInterestList IE.

Impact

An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.

Fix

Added IE presence verification to NGAP message handling.

AnalysisAI

Ella Core is vulnerable to a denial of service attack via a null pointer dereference when processing malformed NGAP LocationReport messages that omit the required UEPresenceInAreaOfInterestList field. An unauthenticated attacker with network access can crash the Ella Core process, disrupting service for all connected subscribers. No patch is currently available.

Technical ContextAI

Ella Core is a Go-based 5G core network implementation as indicated by the CPE pkg:go/github.com_ellanetworks_core. The vulnerability occurs in the NGAP (Next Generation Application Protocol) message handling, specifically when processing LocationReport messages used in 5G networks for tracking user equipment presence. The root cause is CWE-476 (NULL Pointer Dereference), where the code attempts to access the UEPresenceInAreaOfInterestList information element without first verifying its presence in the message, leading to a panic condition in the Go runtime when this optional field is omitted.

RemediationAI

Update Ella Core to the latest version that includes the fix adding IE (Information Element) presence verification to NGAP message handling. The patch ensures proper validation of the UEPresenceInAreaOfInterestList field before processing LocationReport messages. Until patching is possible, implement network-level controls to restrict NGAP message sources to trusted network elements only, and monitor for unexpected process crashes that could indicate exploitation attempts. Full remediation details are available in the GitHub security advisory at https://github.com/ellanetworks/core/security/advisories/GHSA-826q-wrq4-p23x.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy