DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32320: CVE-2026-32320: Denial of Service in Ella Core AMF via Malformed PathSwitchRequest

#security #cve #cybersecurity

CVE-2026-32320: Denial of Service in Ella Core AMF via Malformed PathSwitchRequest

Vulnerability ID: CVE-2026-32320
CVSS Score: 6.5
Published: 2026-03-12

Ella Core versions prior to 1.5.1 contain a denial-of-service vulnerability in the Access and Mobility Management Function (AMF). Processing a malformed PathSwitchRequest NGAP message triggers an out-of-bounds read, causing a runtime panic and complete process termination.

TL;DR

A zero-length bitstring in the UE Security Capabilities of a PathSwitchRequest causes an index-out-of-range panic in Ella Core's AMF. This allows an attacker with network access to the SCTP interface to crash the AMF process, resulting in a denial-of-service condition for the 5G network.

Technical Details

  • CWE ID: CWE-125 (Out-of-bounds Read)
  • Attack Vector: Network (SCTP / NGAP)
  • CVSS v3.1 Score: 6.5
  • Impact: High (Denial of Service)
  • Exploit Status: Unproven / PoC
  • CISA KEV: False

Affected Systems

  • Ella Core Access and Mobility Management Function (AMF)
  • Ella Core: < 1.5.1 (Fixed in: 1.5.1)

Code Analysis

Commit: 1e404ee

fix: length check in path switch request IE (#1099)

Commit: 722e79f

Security hardening: payload length validation for NAS messages

Commit: 1944bf0

Mitigates nil-pointer dereferences in UPF rule lookups

Commit: 200392f

Migrates eBPF maps from Array to Hash types

Mitigation Strategies

  • Upgrade Ella Core AMF to version 1.5.1 or later.
  • Enforce IP-based access control lists (ACLs) on the AMF's SCTP interface (N2) to permit traffic only from authenticated and trusted RAN nodes.
  • Deploy network intrusion detection rules to inspect ASN.1 encoded NGAP messages for anomalous zero-length bitstrings in the UE Security Capabilities IE.

Remediation Steps:

  1. Verify the current version of the Ella Core AMF component in the environment.
  2. Download the Ella Core v1.5.1 release or update the corresponding container images from the vendor repository.
  3. Schedule a maintenance window, as restarting the AMF will temporarily disrupt control plane signaling.
  4. Apply the update and verify that the AMF process restarts successfully.
  5. Monitor the N2 interface for normal NG Setup and Path Switch Request procedures to confirm operational stability.

References

Read the full report for CVE-2026-32320 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)