Guillaume Belanger

4 exploits Active since Mar 2026
CVE-2026-33903 WRITEUP MEDIUM WRITEUP
Ella Core panics when processing a crafted NGAP LocationReport message
Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. Version 1.7.0 adds guards in NGAP Location Report handler.
CVSS 6.5
CVE-2026-33904 WRITEUP MEDIUM WRITEUP
Ella Core has a Denial of Service via SCTP connection cleanup deadlock
Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, a deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted. An attacker with access to the N2 interface can cause Ella Core to hang, resulting in a denial of service for all subscribers. Version 1.7.0 adds deferred Radio cleanup in serveConn SCTP server so that every connection exit path removes the radio. Remove the stale-entry scan from SCTP Notification handling.
CVSS 6.5
CVE-2026-33906 WRITEUP HIGH WRITEUP
Ella Core has Privilege Escalation via Database Restore by NetworkManager role
Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role.
CVSS 7.2
CVE-2026-33907 WRITEUP MEDIUM WRITEUP
Ella Core Panics during NAS Authentication Response/Failure with missing IEs
Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.7.0 added IE presence verification to NAS message handling.
CVSS 6.5