CVE-2026-33907
MEDIUMElla Core Panics during NAS Authentication Response/Failure with missing IEs
Title source: cnaDescription
Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.7.0 added IE presence verification to NAS message handling.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ellanetworks/core/security/advisories/GHSA-55q8-2gwx-29pc
X_Refsource_Misc x_refsource_misc
https://github.com/ellanetworks/core/commit/52962660e3bd3e23c7e96b0da270ac1e0e705273
X_Refsource_Misc x_refsource_misc
https://github.com/ellanetworks/core/releases/tag/v1.7.0
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
14.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-476
Status
published
Products (3)
ellanetworks/core
0 - 1.7.0Go
ellanetworks/core
< 1.7.0
ellanetworks/ella_core
< 1.7.0
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026