CVE-2026-32320
Published: 13 March 2026
Summary
CVE-2026-32320 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Ellanetworks Ella Core. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-32320 is a denial-of-service vulnerability in Ella Core, a 5G core implementation designed for private networks. Versions prior to 1.5.1 suffer from a panic condition triggered when processing a PathSwitchRequest message that includes UE Security Capabilities with zero-length bitstrings for NR encryption or integrity protection algorithms. This issue stems from CWE-125 (out-of-bounds read) and has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
An attacker with the ability to send crafted NGAP messages to the Ella Core deployment can exploit this vulnerability to crash the core process, resulting in service disruption for all connected subscribers. No authentication is required to deliver the malicious PathSwitchRequest, enabling remote exploitation over the network with low complexity, though the CVSS vector indicates low privileges (PR:L) are needed.
The vulnerability is addressed in Ella Core version 1.5.1. Security practitioners should upgrade to this patched release, as detailed in the official advisory at https://github.com/ellanetworks/core/security/advisories/GHSA-j478-p7vq-3347.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11724
Vulnerability details
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An…
more
attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely triggerable crash (panic from out-of-bounds read) in a network-exposed 5G core process when a crafted NGAP PathSwitchRequest is processed; this directly maps to exploitation of a software vulnerability to cause application/service denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of NGAP PathSwitchRequest inputs (UE Security Capabilities bitstrings) to reject zero-length values before they trigger the out-of-bounds read and panic.
Requires non-abnormal termination on malformed protocol data, preventing the process crash that produces the DoS for all subscribers.
Provides denial-of-service protection mechanisms that can limit the impact of unauthenticated crafted NGAP messages reaching the 5G core process.