CVE-2026-33904
MEDIUMSeverity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted.
Impact
An attacker with access to the N2 interface can cause Ella Core to hang, resulting in a denial of service for all subscribers.
Fix
Add deferred Radio cleanup in serveConn SCTP server so that every connection exit path removes the radio. Remove the stale-entry scan from SCTP Notification handling.
AnalysisAI
Ella Core's AMF control plane deadlocks in the SCTP notification handler when processing malformed or stale radio entries, allowing unauthenticated attackers with N2 interface access to hang the entire Access and Mobility Function until manual process restart, completely denying service to all subscribers. The vulnerability (CVSS 6.5, CWE-833 deadlock) stems from improper synchronization in radio cleanup logic combined with stale-entry scanning, and patches are available in version 1.7.0 and later.
Technical ContextAI
Ella Core (github.com/ellanetworks/core) is a 5G Access and Mobility Function (AMF) implementation in Go that handles control-plane signaling over SCTP (Stream Control Transmission Protocol). The vulnerability resides in the serveConn SCTP server's radio connection lifecycle management. CWE-833 identifies the root cause as improper synchronization in a multi-threaded context-specifically, deferred radio resource cleanup on connection exit was missing, and the stale-entry scan logic in SCTP notification handling was not thread-safe or was holding locks across I/O operations. When an attacker crafts SCTP packets that trigger notification handler execution while stale radio entries exist, the handler can deadlock waiting for locks or I/O that never complete, freezing the entire AMF process.
RemediationAI
Upgrade Ella Core to version 1.7.0 or later, which includes deferred radio cleanup in the serveConn SCTP server and removal of the stale-entry scan from SCTP notification handling (see https://github.com/ellanetworks/core/releases/tag/v1.7.0). Until patching is complete, restrict network access to the N2 interface to only trusted RAN equipment via firewall rules, disable SCTP access from untrusted sources, and implement monitoring on the AMF process for unexpected hangs. If immediate upgrade is not feasible, consider deploying a load balancer or redundant AMF instances with automatic failover to mitigate denial of service impact.
Same weakness CWE-833 – Deadlock
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today