Ella Core, Unauthenticated AMF DoS, CVE-2026-32319 (Critical)

Listen to this Post

Ella Core, a 5G core network software for private deployments, is susceptible to a critical denial of service (DoS) vulnerability identified as CVE-2026-32319 . The flaw resides in how the Access and Mobility Management Function (AMF) component processes incoming NGAP/NAS messages. Specifically, when the system receives a malformed integrity-protected InitialUEMessage containing a NAS (Non-Access Stratum) payload that is less than 7 bytes in length, it triggers an out-of-bounds read condition (CWE-125) . The code fails to validate that the message length is sufficient before attempting to process it, leading to a system panic . Because the malformed message can be sent without any authentication, any attacker with network access to the AMF can exploit this vulnerability. A successful attack causes the Ella Core process to crash instantly, resulting in a complete service outage for all connected subscribers until the service is manually restarted. The vulnerability is fixed in software release 1.5.1 by implementing the missing length verification .

DailyCVE Form:

Platform: Ella Core
Version: Prior 1.5.1
Vulnerability : Unauthenticated AMF DoS
Severity: Critical (7.5)
Date: 12 Mar 2026

Prediction: Patch already available (v1.5.1)

What Undercode Say:

Analytics:

This vulnerability represents a significant availability risk for private 5G networks relying on unpatched Ella Core instances. The CVSS score of 7.5 (High) reflects the network attack vector, low attack complexity, and lack of required privileges or user interaction . Given that the advisory was published on March 12, 2026, and a fix was released concurrently, the window of exposure is limited to environments that have not yet applied the update.

Exploit:

An attacker can exploit this vulnerability by establishing a connection with the target AMF and sending a crafted InitialUEMessage. The malicious message must contain an integrity-protected NAS PDU that is malformed and has a total length of less than 7 bytes. The lack of proper bounds checking in vulnerable versions (prior to 1.5.1) will cause the AMF to read out-of-bounds, leading to a process panic and denial of service.

Protection from this CVE:

  1. Upgrade: Immediately update to Ella Core version 1.5.1 or later, which contains the fix for the length verification flaw .
  2. Verification: Check the current version to ensure it is patched.
    Example command to check version (actual command may vary based on deployment)
    ella-core --version
    If the version is below 1.5.1, it is vulnerable.
    
  3. Network Segmentation: Restrict network access to the AMF interface to only trusted sources as a defense-in-depth measure.

Impact:

Successful exploitation leads to a complete crash of the Ella Core AMF process. This results in a total denial of service for the 5G core, disconnecting all User Equipment (UE) and preventing any new registrations or mobility events. Service is only restored upon manual intervention to restart the affected process.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top