CVE-2026-33282 (CVSS 7.5) is a NULL pointer dereference in Ella Core’s NGAP message processing logic, triggered by a single crafted LocationReport message from any unauthenticated host with network access to the NGAP interface, crashing the 5G core and disconnecting all subscribers. Organizations running Ella Core in private 5G environments should treat this as an urgent patch for critical network infrastructure. Actions: upgrade to Ella Core 1.6.0, and as an immediate network-layer control restrict NGAP interface access to trusted AMF and gNB source addresses only.