CVE-2026-33907
MEDIUMSeverity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Ella Core panics when processing Authentication Response and Authentication Failure NAS message missing IEs.
Impact
An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.
Fix
Added IE presence verification to NAS message handling.
AnalysisAI
Ella Core crashes when processing NAS Authentication Response and Authentication Failure messages with missing Information Elements, enabling unauthenticated attackers on the adjacent network to trigger denial of service affecting all connected subscribers. The vulnerability stems from a null pointer dereference in message handling logic (CWE-476) and carries a CVSS 6.5 score reflecting high availability impact with low attack complexity. Vendor-released patch available via GitHub release v1.7.0.
Technical ContextAI
Ella Core (github.com/ellanetworks/core, a Go-based telecommunications/mobile network function package) processes NAS (Non-Access Stratum) messages as part of 3GPP authentication workflows. NAS messages contain mandatory Information Elements (IEs) that must be present for proper parsing. The vulnerability manifests when Authentication Response or Authentication Failure messages lack required IEs; the code attempts to dereference pointers to these missing fields without validation, triggering a nil pointer panic that crashes the entire process. CWE-476 (Null Pointer Dereference) is the root cause class. This affects the pkg:go/github.com_ellanetworks_core package directly.
RemediationAI
Upgrade Ella Core to version v1.7.0 or later, which includes Information Element presence verification in NAS message handling (see GitHub commit 52962660e3bd3e23c7e96b0da270ac1e0e705273 and vendor release notes). Until patching is feasible, restrict network access to Ella Core to trusted administrative and subscriber-facing interfaces, disable or rate-limit NAS message processing from untrusted sources, and implement network segmentation to isolate Ella Core from untrusted adjacent network segments. Monitor process logs and implement automated restart policies to detect and mitigate crash events. Consult the vendor advisory at https://github.com/ellanetworks/core/security/advisories/GHSA-55q8-2gwx-29pc for environment-specific deployment guidance.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today