CVE-2026-33904
MEDIUMCVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
## Summary A deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted. ## Impact An attacker with access to the N2 interface can cause Ella Core to hang, resulting in a denial of service for all subscribers. ## Fix Add deferred Radio cleanup in serveConn SCTP server so that every connection exit path removes the radio. Remove the stale-entry scan from SCTP Notification handling.
Analysis
Ella Core's AMF control plane deadlocks in the SCTP notification handler when processing malformed or stale radio entries, allowing unauthenticated attackers with N2 interface access to hang the entire Access and Mobility Function until manual process restart, completely denying service to all subscribers. The vulnerability (CVSS 6.5, CWE-833 deadlock) stems from improper synchronization in radio cleanup logic combined with stale-entry scanning, and patches are available in version 1.7.0 and later.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today