Description
Ericsson Packet Core Controller (PCC) versions prior
to 1.38 contain a vulnerability where an attacker sending a large volume of
specially crafted messages may cause service degradation.
Published: 2026-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability arises from improper handling of syntactically invalid structures within the Ericsson Packet Core Controller. An attacker can send a large volume of specially crafted messages that the controller processes, leading to resource exhaustion and degraded service. This results in a denial‑of‑service condition, as the affected system may become unable to process legitimate traffic. The weakness aligns with CWE‑228, which addresses improper validation of input leading to resource depletion.

Affected Systems

Affected products include Ericsson Packet Core Controller (PCC) versions earlier than 1.38. The exposure applies to all installations that run these earlier releases, regardless of deployment size or geographic region, as the flaw is in the core message handling layer. No further version granularity is provided in the advisory.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate range, but the EPSS value of less than 1% indicates a very low likelihood of exploitation in the wild. The advisory does not list the vulnerability in CISA's KEV catalog, further suggesting that active exploitation is not widespread. Based on the description, the likely attack vector is remote access to the controller over the network by sending malformed packets; no local privilege escalation is required.

Generated by OpenCVE AI on April 10, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PCC to version 1.38 or later where the issue is fixed.
  • If an immediate upgrade is not possible, monitor network traffic for unusually high volumes of malformed messages and block offending sources.
  • Apply any existing Ericsson security patches or advisories that address related message handling vulnerabilities.
  • Configure firewalls and rate‑limiting controls to mitigate large message bursts.
  • Continue to follow Ericsson security announcements for updates and additional guidance.

Generated by OpenCVE AI on April 10, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ericsson:packet_core_controller:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ericsson
Ericsson packet Core Controller
Vendors & Products Ericsson
Ericsson packet Core Controller

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description Ericsson Packet Core Controller (PCC) versions prior to 1.38 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation.
Title Ericsson Packet Core Controller (PCC) - Improper Handling of Syntactically Invalid Structure Vulnerability
Weaknesses CWE-228
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ericsson Packet Core Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: ERIC

Published:

Updated: 2026-04-01T12:39:41.380Z

Reserved: 2024-11-22T14:21:37.002Z

Link: CVE-2024-53828

cve-icon Vulnrichment

Updated: 2026-04-01T12:39:23.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T10:16:14.190

Modified: 2026-04-10T15:44:45.707

Link: CVE-2024-53828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:08Z

Weaknesses