{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32320", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T21:16:21.661Z", "datePublished": "2026-03-12T21:34:50.318Z", "dateUpdated": "2026-03-14T03:46:29.938Z"}, "containers": {"cna": {"title": "Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347"}], "affected": [{"vendor": "ellanetworks", "product": "core", "versions": [{"version": "< 1.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T21:34:50.318Z"}, "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1."}], "source": {"advisory": "GHSA-j478-p7vq-3347", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-14T03:46:19.675025Z", "id": "CVE-2026-32320", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:46:29.938Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-14T03:46:19.675025Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:46:25.703Z"}}], "cna": {"title": "Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings", "source": {"advisory": "GHSA-j478-p7vq-3347", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ellanetworks", "product": "core", "versions": [{"status": "affected", "version": "< 1.5.1"}]}], "references": [{"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347", "name": "https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T21:34:50.318Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32320", "state": "PUBLISHED", "dateUpdated": "2026-03-14T03:46:29.938Z", "dateReserved": "2026-03-11T21:16:21.661Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T21:34:50.318Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "187BCA62-CD29-487C-B2AE-AEEA54452188", "versionEndExcluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1."}], "id": "CVE-2026-32320", "lastModified": "2026-03-19T13:38:45.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-13T19:54:42.450", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "core", "source": "cna", "vendor": "ellanetworks"}, "product": "core", "vendor": "ellanetworks"}], "analysis": {"en": {"generated_at": "2026-03-19T15:54:45.365563+00:00", "value": {"mitigation_remediation": ["Upgrade Ella Core to version\u202f1.5.1 or later."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All deployments of Ella Core prior to version 1.5.1 are affected. The impacted product is listed in the CPE string cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*. Operators using ellanetworks:core without upgrading to 1.5.1 or newer are exposed to this flaw.", "description_and_impact": "Ella Core is a 5G core network implementation that processes NGAP messages. The vulnerability is triggered when a PathSwitchRequest contains UE Security Capabilities with zero\u2011length NR encryption or integrity protection algorithm bitstrings. The AMF process panics, causing a crash that results in denial of service for all connected subscribers. The weakness corresponds to an out\u2011of\u2011bounds read (CWE\u2011125). No authentication is required to send the crafted NGAP message, so the attack can be performed by any entity capable of sending NGAP traffic to the network.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating medium severity. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. However, because the exploit does not require authentication and relies on a simple, malformed NGAP message, the potential impact of a successful exploit is significant, as a single attack can disrupt services for an entire private 5G network. Operators should treat this as a medium to high risk depending on the exposure of their NGAP interfaces."}}}}, "created": "2026-03-13T09:49:31.628207+00:00", "updated": "2026-03-23T10:00:04.605060+00:00", "vendors": ["ellanetworks", "ellanetworks$PRODUCT$core"]}