CVE-2026-33904 is a deadlock vulnerability categorized under CWE-833, found in the AMF (Access and Mobility Management Function) component of Ella Core, a 5G core network product designed for private network deployments. The vulnerability exists in versions prior to 1.7.0 and arises from improper handling of SCTP (Stream Control Transmission Protocol) notifications within the AMF. Specifically, the deadlock occurs in the SCTP notification handler when processing certain events, causing the AMF control plane to hang indefinitely until the process is manually restarted. This deadlock effectively halts the AMF's ability to manage subscriber sessions and mobility, resulting in a denial of service (DoS) for all subscribers connected through the affected AMF. Exploitation requires an attacker to have access to the N2 interface, which is the interface between the AMF and the RAN (Radio Access Network). The fix introduced in version 1.7.0 involves deferring radio cleanup operations in the serveConn SCTP server to ensure that every connection exit path properly removes radio resources, and removing the stale-entry scan from the SCTP notification handling logic to prevent the deadlock condition. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting its medium severity due to the lack of confidentiality or integrity impact but significant availability disruption. No public exploits or active exploitation have been reported to date.

The primary impact of this vulnerability is a denial of service condition affecting the AMF control plane in the Ella Core 5G network. Since the AMF is critical for subscriber session management and mobility functions, its unavailability results in a complete loss of service for all subscribers relying on the affected AMF instance. This can lead to widespread network outages in private 5G deployments using Ella Core versions prior to 1.7.0. The disruption can affect enterprise operations, industrial automation, or any critical infrastructure relying on private 5G connectivity. Although the vulnerability does not compromise data confidentiality or integrity, the loss of availability can cause significant operational and financial damage, especially in environments requiring high network uptime and reliability. The requirement for attacker access to the N2 interface somewhat limits the attack surface but does not eliminate risk, as insider threats or compromised RAN elements could be leveraged. Given the growing adoption of private 5G networks in sectors such as manufacturing, logistics, and energy, the impact could be substantial in these industries.

To mitigate this vulnerability, organizations should upgrade Ella Core to version 1.7.0 or later, where the deadlock issue has been resolved. If immediate upgrade is not feasible, network administrators should restrict and monitor access to the N2 interface rigorously, ensuring only trusted and authenticated entities can communicate with the AMF. Implement network segmentation and strict firewall rules to isolate the N2 interface from untrusted networks or devices. Additionally, continuous monitoring of AMF process health and SCTP connection states can help detect early signs of deadlock or hangs, enabling rapid response and process restarts before widespread service disruption occurs. Incorporating automated failover or redundancy mechanisms for the AMF can also reduce downtime impact. Finally, coordinate with Ella Networks support for any available patches or workarounds and maintain up-to-date incident response plans tailored to private 5G network environments.