CVE-2026-33903
MEDIUMSeverity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Ella Core panics when processing a specially crafted NGAP LocationReport message.
Impact
An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers.
Fix
Add guards in NGAP Location Report handler.
AnalysisAI
Ella Core suffers a null pointer dereference vulnerability in its NGAP LocationReport message handler that causes the process to panic and crash, enabling unauthenticated network-adjacent attackers to trigger denial of service affecting all connected mobile subscribers. The vulnerability (CVE-2026-33903, CVSS 6.5) stems from missing input validation guards and has a vendor-released patch available in version 1.7.0; no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
Ella Core (pkg:go/github.com_ellanetworks_core) is a Go-based telecom signaling platform that implements NGAP (NG Application Protocol), the control plane protocol between 5G core and radio access networks. The vulnerability is a null pointer dereference (CWE-476) occurring in the LocationReport message handler, a standard NGAP procedure used to report UE location updates. The missing guard means the handler does not validate pointer validity before dereferencing, causing an unhandled panic that crashes the entire Ella Core process. Because LocationReport is a fundamental NGAP message sent by gNodeBs (5G base stations) during normal operation, a specially crafted malformed message can reliably trigger the panic.
RemediationAI
Upgrade Ella Core to version 1.7.0 or later, which includes the null pointer guard fixes merged in commit ec77a2ad4508f8488cb356fd45b2f1efd92587f8. The patch is available immediately from the vendor GitHub releases. Until patching is completed, implement network-level mitigations by restricting NGAP message sources to trusted gNodeBs and peer 5G core entities via ingress filtering on the SCTP/N2 interface, and consider deploying a message validation proxy that sanitizes LocationReport payloads before forwarding to Ella Core. Monitor Ella Core process logs and implement alerting on unexpected panic/crash events to detect exploitation attempts.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today