Skip to main content

Ella Core CVE-2026-44473

| EUVDEUVD-2026-32563 HIGH
Improperly Implemented Security Check for Standard (CWE-358)
2026-05-11 https://github.com/ellanetworks/core GHSA-qfxw-v8qx-vj3v
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 15:46 vuln.today
Analysis Generated
May 11, 2026 - 15:46 vuln.today
CVE Published
May 11, 2026 - 15:18 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio.

Impact

Downlink user-plane traffic for the targeted UE is redirected to the attacker's radio.

Fix

UE context lookups are now scoped to the sending radio's SCTP association.

AnalysisAI

User equipment (UE) downlink traffic can be redirected to attacker-controlled radios in Ella Core (5G AMF software) versions prior to 1.10.0. A malicious radio with a valid NG Setup connection can forge PDUSessionResourceSetupResponse messages using arbitrary AMF-UE-NGAP-IDs, causing Ella Core to create GTP tunnels that misdirect victim UE downlink packets to the attacker's radio. This enables traffic interception and denial of service against targeted UEs. The vulnerability stems from missing validation that NGAP messages arrive on the correct SCTP association for the UE context. No public exploit identified at time of analysis, and EPSS data not available. Vendor-released patch: version 1.10.0.

Technical ContextAI

Ella Core is an open-source 5G Access and Mobility Management Function (AMF) implemented in Go. The vulnerability affects the NG interface protocol stack (3GPP TS 23.502), specifically the NGAP (NG Application Protocol) message handling between radios (gNodeBs) and the AMF. NGAP messages are transported over SCTP associations. PDUSessionResourceSetupResponse messages contain AMF-UE-NGAP-IDs that identify UE contexts, and are used to establish GTP-U tunnels for user-plane traffic. The flaw is a missing origin validation (CWE-358: Improperly Implemented Security Check for Standard) - the AMF fails to verify that the SCTP association carrying the message matches the association bound to the claimed UE's logical NG-connection. This allows a rogue radio to impersonate legitimate UE sessions and hijack their downlink data paths by creating malicious GTP tunnel endpoints.

RemediationAI

Upgrade Ella Core to version 1.10.0 or later, which implements SCTP association scoping for UE context lookups to prevent cross-association message forgery. The fix ensures that PDUSessionResourceSetupResponse messages are validated against the sending radio's SCTP association before creating GTP tunnels. Download the patched version from the GitHub repository at https://github.com/ellanetworks/core or via Go package manager. For operators unable to upgrade immediately, implement compensating controls by restricting NG interface access to trusted radios only through network segmentation (isolate the N2 interface), deploying IPsec or TLS over SCTP to cryptographically bind messages to associations (increases operational complexity and may impact performance), and enabling aggressive monitoring for anomalous PDU session creations such as multiple sessions from different radios for the same AMF-UE-NGAP-ID (requires SIEM integration and may generate false positives in legitimate handover scenarios). These mitigations reduce but do not eliminate risk since a compromised legitimate radio can still exploit the vulnerability. Review vendor advisory at https://github.com/ellanetworks/core/security/advisories/GHSA-qfxw-v8qx-vj3v for additional deployment guidance.

Share

CVE-2026-44473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy