CVE-2026-33281

Medium

Published: 24 March 2026

Published

24 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 5.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33281 is a medium-severity Improper Validation of Array Index (CWE-129) vulnerability in Ellanetworks Ella Core. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the CWE-129 improper validation of PDU Session IDs in NGAP messages by enforcing input validation mechanisms to prevent array index errors and process crashes.

SI-11 Error Handling good match

prevent

Mitigates service disruption by requiring error handling for invalid NGAP PDU Session IDs that would otherwise cause panics in Ella Core.

SC-5 Denial-of-service Protection partial match

prevent

Protects against denial-of-service attacks via crafted NGAP messages by implementing DoS protections at system entry points.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The CVE describes remote unauthenticated exploitation of an application vulnerability (invalid PDU Session ID in NGAP causing panic/crash) that directly results in denial of service, matching Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash…

the process, causing service disruption for all connected subscribers. No authentication is required. Version 1.6.0 added PDU Session ID validations during NGAP message handling.

Deeper analysisAI

CVE-2026-33281 is a denial-of-service vulnerability in Ella Core, a 5G core implementation designed for private networks. Versions prior to 1.6.0 are affected, where the software panics upon processing NGAP messages containing invalid PDU Session IDs outside the valid range of 1-15. This issue is mapped to CWE-129 (Improper Validation of Array Index) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), reflecting medium severity primarily due to high availability impact.

An attacker with the ability to send crafted NGAP messages to an affected Ella Core deployment can trigger the panic, crashing the process and causing widespread service disruption for all connected subscribers. No authentication is required to deliver the malicious messages, enabling remote exploitation over the network with low complexity.

The official advisory, available at https://github.com/ellanetworks/core/security/advisories/GHSA-q669-4gmv-g8mf, recommends upgrading to version 1.6.0 or later, which introduces PDU Session ID validation during NGAP message handling to prevent the crash.