Ella Core panics on malformed NGAP Location Report

GHSA-826q-wrq4-p23x · CVE-2026-33282 · GO-2026-4780

Published Mar 19, 2026 · Modified Mar 25, 2026

Description

Summary

Ella Core panics when processing a malformed NGAP LocationReport message with ue-presence-in-area-of-interest event type and omitting the optional UEPresenceInAreaOfInterestList IE.

Impact

An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.

Fix

Added IE presence verification to NGAP message handling.

References

WEB https://github.com/ellanetworks/core/security/advisories/GHSA-826q-wrq4-p23x
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33282
PACKAGE https://github.com/ellanetworks/core

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes