CVE-2026-34761
MEDIUMSeverity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Ella Core panics when processing a NGAP handover failure message.
Impact
If an attacker can force a gNodeB to send NGAP handover failure messages to Ella Core, the process will crash, thereby disrupting service for all connected subscribers.
Fix
Improve guards in NGAP handover handlers.
AnalysisAI
Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.
Technical ContextAI
Ella Core is a Go-based 5G core network implementation that implements the NGAP (NG Application Protocol) used for signaling between gNodeB base stations and the 5G core network. The vulnerability exists in the NGAP handover failure message handler, which fails to properly validate or guard against null pointer conditions before dereferencing handler state. The root cause is CWE-476 (null pointer dereference), indicating insufficient null checks or validation in the handover failure processing logic. An attacker positioned to control gNodeB signaling (high privilege, high complexity attack) can craft specific NGAP handover failure messages that cause the handler to attempt dereferencing a null pointer, crashing the entire Ella Core process and disrupting service to all subscribers connected to that core instance.
RemediationAI
Update Ella Core to the patched version specified in the GitHub security advisory at https://github.com/ellanetworks/core/security/advisories/GHSA-6gm8-3g4h-w82m. The fix improves guards and null pointer checks in NGAP handover failure message handlers. No workarounds are documented; patching is the primary remediation. Operators should also review gNodeB configurations and access controls to restrict which systems can send NGAP signaling to the core network, limiting the attack surface to trusted radio network elements.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6gm8-3g4h-w82m