Skip to main content

CVE-2026-33904

MEDIUM
Deadlock (CWE-833)
2026-03-26 https://github.com/ellanetworks/core
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 22:16 vuln.today
CVE Published
Mar 26, 2026 - 22:13 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

A deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted.

Impact

An attacker with access to the N2 interface can cause Ella Core to hang, resulting in a denial of service for all subscribers.

Fix

Add deferred Radio cleanup in serveConn SCTP server so that every connection exit path removes the radio. Remove the stale-entry scan from SCTP Notification handling.

AnalysisAI

Ella Core's AMF control plane deadlocks in the SCTP notification handler when processing malformed or stale radio entries, allowing unauthenticated attackers with N2 interface access to hang the entire Access and Mobility Function until manual process restart, completely denying service to all subscribers. The vulnerability (CVSS 6.5, CWE-833 deadlock) stems from improper synchronization in radio cleanup logic combined with stale-entry scanning, and patches are available in version 1.7.0 and later.

Technical ContextAI

Ella Core (github.com/ellanetworks/core) is a 5G Access and Mobility Function (AMF) implementation in Go that handles control-plane signaling over SCTP (Stream Control Transmission Protocol). The vulnerability resides in the serveConn SCTP server's radio connection lifecycle management. CWE-833 identifies the root cause as improper synchronization in a multi-threaded context-specifically, deferred radio resource cleanup on connection exit was missing, and the stale-entry scan logic in SCTP notification handling was not thread-safe or was holding locks across I/O operations. When an attacker crafts SCTP packets that trigger notification handler execution while stale radio entries exist, the handler can deadlock waiting for locks or I/O that never complete, freezing the entire AMF process.

RemediationAI

Upgrade Ella Core to version 1.7.0 or later, which includes deferred radio cleanup in the serveConn SCTP server and removal of the stale-entry scan from SCTP notification handling (see https://github.com/ellanetworks/core/releases/tag/v1.7.0). Until patching is complete, restrict network access to the N2 interface to only trusted RAN equipment via firewall rules, disable SCTP access from untrusted sources, and implement monitoring on the AMF process for unexpected hangs. If immediate upgrade is not feasible, consider deploying a load balancer or redundant AMF instances with automatic failover to mitigate denial of service impact.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-33904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy