GHSA-j478-p7vq-3347

Suggest an improvement
Source
https://github.com/advisories/GHSA-j478-p7vq-3347
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-j478-p7vq-3347/GHSA-j478-p7vq-3347.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j478-p7vq-3347
Aliases
Published
2026-03-12T20:33:28Z
Modified
2026-03-23T04:56:01.367525150Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings
Details

Summary

Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service.

Impact

An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.

Fix

Added length validation on NR algorithm bitstrings before accessing them in the PathSwitchRequest handler.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-125"
    ],
    "nvd_published_at": "2026-03-13T19:54:42Z",
    "github_reviewed_at": "2026-03-12T20:33:28Z",
    "severity": "MODERATE"
}
References

Affected packages

Go / github.com/ellanetworks/core

Package

Name
github.com/ellanetworks/core
View open source insights on deps.dev
Purl
pkg:golang/github.com/ellanetworks/core

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-j478-p7vq-3347/GHSA-j478-p7vq-3347.json"