Listen to this Post
This vulnerability resides in how Ella Core, a 5G core network component, processes a specific NGAP (Next Generation Application Protocol) message called PathSwitchRequest. This message is used during handover procedures and contains “UE Security Capabilities,” which include bitstrings that list supported encryption and integrity protection algorithms for 5G (NR). The software fails to validate the length of these bitstrings before accessing their content. An attacker can craft a malicious PathSwitchRequest where the NR encryption or integrity protection algorithm bitstring is of zero length. When Ella Core’s Access and Mobility Management Function (AMF) attempts to read this empty bitstring, it triggers an out-of-bounds read (CWE-125), causing the Go program to panic and crash. This results in a Denial of Service (DoS) for all connected subscribers, and because the attacker does not need to be authenticated, the attack surface is significant .
dailycve form:
Platform: Ella Core
Version: <1.5.1
Vulnerability :DoS via PathSwitchRequest
Severity: Moderate (CVSS:6.5)
date: 12 Mar 2026
Prediction: 14 Mar 2026
What Undercode Say:
Analytics:
- Vulnerability Type: Out-of-bounds Read (CWE-125)
- Attack Vector: Network (NGAP)
- Authentication Required: None
- Impact: High (Availability only)
- Affected Component: Access and Mobility Management Function (AMF)
- Root Cause: Missing length validation on NR algorithm bitstrings in PathSwitchRequest handler.
- Fix Commit: Likely in release v1.5.1
Exploit:
This is a conceptual example. A real exploit would require crafting a valid NGAP message.
The goal is to send a PathSwitchRequest with an empty NR algorithm bitstring.
Using a tool like scappy or a custom Go script to craft the packet.
Example Python snippet using scapy (hypothetical 5G NGAP layer):
from scapy.contrib.mobile import
packet = NGAP() / NGAP_PathSwitchRequest(
ueSecurityCapabilities=NGAP_UE_Security_Capabilities(
nrEncryptionAlgorithms="", Zero-length bitstring
nrIntegrityProtectionAlgorithms="" Zero-length bitstring
)
)
send(packet, iface="eth0")
To test if your own instance is vulnerable, you could use a fuzzer to send mutated PathSwitchRequest messages.
Example using a simple bash one-liner with netcat (if the service accepts raw TCP on a port - THIS IS UNLIKELY FOR NGAP which uses SCTP).
echo -e "malformed_payload" | nc <target_ip> <port>
The correct fix involves adding a length check in the Go code:
Example of vulnerable code:
func (h Handler) handlePathSwitchRequest(ueSecurityCaps UESecurityCapabilities) {
nrEncAlgs := ueSecurityCaps.NrEncryptionAlgorithms
firstByte := nrEncAlgs[bash] // PANIC if nrEncAlgs is empty
}
Example of patched code:
func (h Handler) handlePathSwitchRequest(ueSecurityCaps UESecurityCapabilities) {
if len(ueSecurityCaps.NrEncryptionAlgorithms) == 0 {
log.Println("Received empty NR encryption algorithms, rejecting request")
return
}
nrEncAlgs := ueSecurityCaps.NrEncryptionAlgorithms
firstByte := nrEncAlgs[bash] // Safe now
}
Protection from this CVE:
- Patch Immediately: Update Ella Core to version 1.5.1 or later, which contains the fix .
- Network Segmentation: If patching is not immediately possible, restrict network access to the AMF (Port 38412/SCTP for N2 interface) to only trusted RAN (Radio Access Network) nodes.
- Monitor Logs: Watch for unexpected crashes or panics in the Ella Core process, which may indicate exploitation attempts.
Impact:
- Service Disruption: A successful attack causes the AMF to crash, disconnecting all User Equipment (UE) from the 5G core.
- No Authentication Bypass: The vulnerability does not allow for data theft or privilege escalation, only service interruption.
- Private 5G Networks at Risk: As Ella Core is designed for private networks, organizations using this software for critical infrastructure could face significant operational downtime.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

