Skip to main content

CVE-2026-34761

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-01 https://github.com/ellanetworks/core GHSA-6gm8-3g4h-w82m
5.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
CVE Published
Apr 01, 2026 - 22:59 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

Summary

Ella Core panics when processing a NGAP handover failure message.

Impact

If an attacker can force a gNodeB to send NGAP handover failure messages to Ella Core, the process will crash, thereby disrupting service for all connected subscribers.

Fix

Improve guards in NGAP handover handlers.

AnalysisAI

Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.

Technical ContextAI

Ella Core is a Go-based 5G core network implementation that implements the NGAP (NG Application Protocol) used for signaling between gNodeB base stations and the 5G core network. The vulnerability exists in the NGAP handover failure message handler, which fails to properly validate or guard against null pointer conditions before dereferencing handler state. The root cause is CWE-476 (null pointer dereference), indicating insufficient null checks or validation in the handover failure processing logic. An attacker positioned to control gNodeB signaling (high privilege, high complexity attack) can craft specific NGAP handover failure messages that cause the handler to attempt dereferencing a null pointer, crashing the entire Ella Core process and disrupting service to all subscribers connected to that core instance.

RemediationAI

Update Ella Core to the patched version specified in the GitHub security advisory at https://github.com/ellanetworks/core/security/advisories/GHSA-6gm8-3g4h-w82m. The fix improves guards and null pointer checks in NGAP handover failure message handlers. No workarounds are documented; patching is the primary remediation. Operators should also review gNodeB configurations and access controls to restrict which systems can send NGAP signaling to the core network, limiting the attack surface to trusted radio network elements.

Share

CVE-2026-34761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy