Suse
CVE-2026-33283
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Ella Core panics when processing malformed UL NAS Transport NAS messages without a Request Type.
Impact
An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.
Fix
Add a guard when receiving an UL NAS Message without a Request Type given no SM Context.
AnalysisAI
Ella Core contains a null pointer dereference vulnerability (CWE-476) that causes the process to panic when processing malformed UL NAS Transport NAS messages that lack a Request Type field, particularly when no SM Context is present. An attacker with network access and minimal privileges can send crafted NAS messages to trigger this crash, resulting in complete denial of service for all connected subscribers without requiring authentication. The CVSS 6.5 score reflects the high availability impact, though the requirement for low privileges (PR:L) and network-only access (AV:N) constrains the overall severity.
Technical ContextAI
This vulnerability affects Ella Core (pkg:go/github.com_ellanetworks_core), a 5G/LTE network core component implemented in Go. The affected code processes UL (Uplink) NAS (Non-Access Stratum) Transport messages, which are part of the 3GPP mobile network protocol stack used for signaling between user equipment and the network core. The root cause is a null pointer dereference (CWE-476) in the message handling logic when the Request Type field is absent and no Session Management (SM) Context exists. The code fails to validate the presence of the Request Type field before dereferencing it, causing an unhandled panic that crashes the entire process. This is a classic memory safety issue in Go where a missing guard clause allows a nil pointer to be accessed.
RemediationAI
Apply the patch provided in the GitHub security advisory GHSA-3366-gw57-fcm5 by upgrading Ella Core to the fixed version available at https://github.com/ellanetworks/core/security/advisories/GHSA-3366-gw57-fcm5. The fix adds a guard clause to validate the presence of a Request Type when processing UL NAS messages without an SM Context, preventing the null pointer dereference. Until patching is possible, network segmentation and access controls should restrict NAS message transmission to trusted sources, and monitoring should be implemented to detect malformed NAS messages. Consider deploying a message validation proxy or firewall rule that drops NAS packets lacking required fields before they reach Ella Core.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-3366-gw57-fcm5