Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings

GHSA-j478-p7vq-3347 · CVE-2026-32320 · GO-2026-4691

Published Mar 12, 2026 · Modified Mar 23, 2026

Description

Summary

Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service.

Impact

An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.

Fix

Added length validation on NR algorithm bitstrings before accessing them in the PathSwitchRequest handler.

References

WEB https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32320
PACKAGE https://github.com/ellanetworks/core
WEB https://github.com/ellanetworks/core/releases/tag/v1.5.1
WEB https://pkg.go.dev/vuln/GO-2026-4691

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes