What is the CVSS score of CVE-2026-44473?

CVE-2026-44473 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Ella Core are affected by CVE-2026-44473?

Ella Core 5G AMF software versions before 1.10.0 allow malicious radios to redirect victim user equipment downlink traffic to attacker-controlled infrastructure, enabling traffic interception and…. A patch is available.

Ella Core CVE-2026-44473

EUVD-2026-32563 HIGH

Improperly Implemented Security Check for Standard (CWE-358)

2026-05-11 https://github.com/ellanetworks/core

GHSA-qfxw-v8qx-vj3v

Information Disclosure

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 11, 2026 - 15:46 vuln.today

Analysis Generated

May 11, 2026 - 15:46 vuln.today

CVE Published

May 11, 2026 - 15:18 nvd

HIGH 7.1

DescriptionNVD

Summary

A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio.

Impact

Downlink user-plane traffic for the targeted UE is redirected to the attacker's radio.

Fix

UE context lookups are now scoped to the sending radio's SCTP association.

AnalysisAI

User equipment (UE) downlink traffic can be redirected to attacker-controlled radios in Ella Core (5G AMF software) versions prior to 1.10.0. A malicious radio with a valid NG Setup connection can forge PDUSessionResourceSetupResponse messages using arbitrary AMF-UE-NGAP-IDs, causing Ella Core to create GTP tunnels that misdirect victim UE downlink packets to the attacker's radio. …

RemediationAI

Within 24 hours: Inventory all Ella Core deployments and identify systems running versions prior to 1.10.0; isolate affected AMF instances from production if version confirmation is unavailable. Within 7 days: Deploy vendor patch to Ella Core version 1.10.0 across all affected 5G AMF infrastructure, prioritizing systems serving critical enterprise or government mobile users. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44473 vulnerability details – vuln.today

Back

Ella Core CVE-2026-44473

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Summary

Impact

Fix

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code