Ella Core is an open source 5G core designed for private network deployments, including factories, warehouses, ports, campuses, and other enterprise environments where reliable mobile connectivity is essential. That makes control plane resilience a security requirement, not just a quality issue.
In 2026, a cluster of vulnerabilities affecting Ella Core’s Access and Mobility Management Function, or AMF, showed that malformed NGAP and NAS traffic could trigger panic conditions and crash the process. These findings uncovered denial of service risks in the 5G control plane and reinforced a simple truth: parser robustness is a core part of telecom security.
For the full technical breakdown, affected versions, CVE references, and remediation details, see P1 Security’s security advisories at cve.p1sec.com. That is the central source for the disclosures related to these findings.
Why Ella Core matters for private 5G security
Ella Core is built for real private 5G deployments, not just lab environments. It is designed for industrial and enterprise use cases where teams want a more accessible 5G core for operational rollouts. That makes it attractive for organizations building mobile connectivity into production environments.
But platform simplicity does not reduce protocol risk.
In a 5G core, the AMF is one of the most critical control plane functions. It handles essential operations such as device registration, mobility management, and signaling coordination between the radio side and the rest of the core. If malformed signaling can crash the AMF, the impact can go far beyond a single malformed packet. It can affect service availability, subscriber procedures, and overall network stability.
That is why AMF denial of service vulnerabilities matter, especially in private 5G environments where mobile connectivity may support operationally important systems.
What P1 Security found in Ella Core
The vulnerabilities uncovered by P1 Security point to a broader pattern: malformed protocol input was not always handled defensively before reaching AMF logic.
One issue involved invalid NGAP NGReset handling, where malformed reset signaling could trigger a crash instead of being rejected safely.
Another issue, CVE-2026-32319, involved a short integrity protected NAS payload. Under malformed conditions, Ella Core could panic when processing a payload that was too short.
A separate issue, CVE-2026-32320, affected PathSwitchRequest handling. Empty NR security capability bitstrings could trigger a denial of service condition in the AMF.
Additional issues expanded the same pattern.
CVE-2026-33281 affected invalid PDU Session IDs in NGAP messages.
CVE-2026-33282 affected malformed NGAP LocationReport handling.
CVE-2026-33283 affected malformed UL NAS Transport handling when a Request Type was missing under conditions where no session management context existed.
Taken together, these vulnerabilities show a consistent control plane weakness: malformed NGAP and NAS traffic could reach logic paths that made unsafe assumptions about message structure, field presence, or valid values.
The technical pattern behind the Ella Core vulnerabilities
What makes this set of Ella Core vulnerabilities especially important is how consistent the weakness pattern is across multiple findings.
The first issue is mandatory field validation. Some handlers assumed required information elements were present and safe to use.
The second issue is length validation. Some code paths did not verify that enough bytes were available before processing variable length content.
The third issue is information element presence checking. Some handlers assumed optional or related fields existed when malformed traffic could omit them.
The fourth issue is semantic bounds enforcement. Some values were accepted into AMF logic before being checked against valid protocol ranges.
These are exactly the kinds of weaknesses that experienced telecom security researchers look for during deep protocol analysis. They are also exactly the kinds of weaknesses that generic security testing often misses.
Why this research matters
This research matters because it highlights the difference between general security testing and telecom security testing.
Telecom software does not fail only through obvious authentication problems or exposed interfaces. It also fails through protocol parsing mistakes, unsafe state assumptions, and weak validation across signaling layers. In mobile core environments, those weaknesses can translate directly into availability issues.
The Ella Core case is a strong example of why specialized telecom security expertise remains essential. It shows how malformed signaling can become an operational risk when control plane functions are not hardened against edge cases and hostile input.
It also reinforces a broader lesson for the private 5G market. As adoption grows, implementation resilience matters just as much as feature completeness. A platform can be easy to deploy and operationally attractive, but if malformed signaling can still crash a core function, the real attack surface remains significant.
Affected versions and fixes
The public disclosures show two main remediation points for the issues uncovered by P1 Security.
The following vulnerabilities were fixed in Ella Core 1.5.1:
CVE-2026-32319, panic on short integrity protected NAS payload
CVE-2026-32320, panic on empty NR security capability in PathSwitchRequest
The following vulnerabilities were fixed in Ella Core 1.6.0:
CVE-2026-33281, panic on invalid PDU Session IDs in NGAP messages
CVE-2026-33282, panic on malformed NGAP LocationReport
CVE-2026-33283, panic on malformed UL NAS Transport without a Request Type
The invalid NGAP NGReset AMF crash was disclosed separately and follows the same broader pattern of parser and validation weaknesses in control plane handling.
For readers who want the full technical details, CVE mapping, affected versions, and fix information, P1 Security’s security advisories are available at cve.p1sec.com. The advisories contain the complete reference material for these disclosures.
The bigger lesson for private 5G security
The Ella Core findings are a reminder that 5G core security is not only about encryption, authentication, or API exposure.
It is also about how safely the software handles malformed protocol input at every stage of parsing and state processing.
That is where deep telecom security expertise becomes critical.
Malformed NGAP and NAS traffic should be rejected safely. It should never be able to take down a core control plane function. The vulnerabilities uncovered in Ella Core show what happens when that boundary is not enforced strongly enough.
They also show why telecom focused security research continues to deliver real value for both open source projects and production deployments.
Final take
The Ella Core disclosures show how denial of service risk can emerge from parser and validation weaknesses inside a 5G core control plane. P1 Security uncovered a cluster of vulnerabilities affecting Ella Core’s handling of NGAP and NAS traffic, helping drive fixes that strengthened the project’s AMF resilience.
For anyone building, operating, or assessing private 5G infrastructure, the takeaway is clear: implementation resilience matters. A private 5G core can be operationally attractive and easy to deploy, but if malformed signaling can still crash control plane functions, the security posture remains exposed.
For the full technical details, CVE references, affected versions, and remediation information, see P1 Security’s security advisories at cve.p1sec.com. The complete disclosure material is available there.
%20(1).jpg)
