Ella Core NGAP Message Handling Vulnerability Leads to Denial of Service
Ella Core versions prior to 1.6.0 are vulnerable to a denial-of-service attack where a crafted NGAP LocationReport message with a missing `UEPresenceInAreaOfInterestList` can crash the process, disrupting service for all connected subscribers.
Ella Core, a 5G core designed for private networks, is susceptible to a denial-of-service (DoS) vulnerability in versions prior to 1.6.0. This flaw, identified as CVE-2026-33282, stems from improper handling of malformed Next Generation Application Protocol (NGAP) LocationReport messages. Specifically, if the ue-presence-in-area-of-interest event type is present without the optional UEPresenceInAreaOfInterestList information element (IE), the Ella Core process panics. An attacker, without requiring authentication, can exploit this by sending specially crafted NGAP messages to the vulnerable Ella Core instance. Successful exploitation results in a crash of the Ella Core process, leading to service disruption for all connected subscribers. The vendor addressed this vulnerability in version 1.6.0 by implementing IE presence verification in NGAP message handling.
Attack Chain
- The attacker identifies a vulnerable Ella Core instance running a version prior to 1.6.0.
- The attacker crafts a malicious NGAP LocationReport message.
- The crafted message includes the
ue-presence-in-area-of-interestevent type. - Crucially, the
UEPresenceInAreaOfInterestListinformation element (IE) is omitted from the message. - The attacker sends the crafted NGAP message to the vulnerable Ella Core instance.
- Upon receiving the malformed message, the Ella Core process attempts to parse the missing
UEPresenceInAreaOfInterestListIE. - Due to the missing IE, the parsing operation fails, causing a panic within the Ella Core process.
- The Ella Core process crashes, leading to a denial of service condition for all connected subscribers.
Impact
Successful exploitation of CVE-2026-33282 leads to a denial-of-service condition affecting all subscribers connected to the vulnerable Ella Core instance. This can disrupt critical communication services in private 5G networks, potentially impacting industrial control systems, healthcare facilities, or other environments relying on uninterrupted connectivity. The severity is high due to the ease of exploitation (no authentication required) and the potential for widespread service disruption.
Recommendation
- Upgrade Ella Core instances to version 1.6.0 or later to patch CVE-2026-33282.
- Deploy the Sigma rule
Detect Malformed NGAP LocationReport Messagesto identify potentially malicious NGAP messages being sent to Ella Core instances. - Implement network-level filtering to block or rate-limit NGAP traffic from suspicious sources.
Detection coverage 3
Detect Malformed NGAP LocationReport Messages
highDetects NGAP LocationReport messages with missing UEPresenceInAreaOfInterestList IE which can cause a denial of service.
Detect High Volume of NGAP Traffic to Ella Core
mediumDetects a sudden increase in NGAP traffic volume to an Ella Core instance, which could indicate a DoS attempt.
Detect Malformed NGAP Messages via Protocol Decoding Errors
mediumDetects malformed NGAP messages based on protocol decoding errors, which can indicate exploitation attempts.
Detection queries are available on the platform. Get full rules →