Skip to main content

Ella Core CVE-2026-44475

| EUVDEUVD-2026-32562 MEDIUM
Improperly Implemented Security Check for Standard (CWE-358)
2026-05-11 https://github.com/ellanetworks/core GHSA-pwfh-mqp3-pqwj
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 15:47 vuln.today
Analysis Generated
May 11, 2026 - 15:47 vuln.today
CVE Published
May 11, 2026 - 15:29 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Summary

Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest.

Impact

A gNB can corrupt Ella Core's stored UE security capabilities for a target UE.

Fix

The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.

AnalysisAI

Malicious gNB can corrupt Ella Core's stored UE security capabilities by sending a crafted NGAP PathSwitchRequest message without validation, allowing integrity compromise of security parameters for any user equipment. The vulnerability affects Ella Core versions prior to 1.10.0 and requires access to the NGAP interface (adjacent network), but can degrade security posture by enabling capability downgrades or feature injection. No public exploit code or active exploitation has been reported.

Technical ContextAI

Ella Core is a 3GPP 5G core network implementation written in Go. The vulnerability exists in the PathSwitchRequest handler for the NGAP (NG Application Protocol), which manages communication between gNBs (5G base stations) and the core network. NGAP is a critical protocol for UE (User Equipment) mobility and handover management. UE Security Capabilities are cryptographic and algorithmic parameters negotiated during authentication that protect user data and signaling. The root cause is CWE-358 (Improperly Implemented Security Check for Standard), where the PathSwitchRequest handler accepts and applies received UE Security Capabilities without comparing them against previously stored, validated values. A malicious or compromised gNB can exploit this to overwrite legitimate security capabilities with weaker or attacker-controlled values, potentially downgrading encryption, integrity protection, or enabling feature injection attacks downstream.

RemediationAI

Upgrade Ella Core to version 1.10.0 or later immediately, as this is the patched version addressing the PathSwitchRequest validation bypass. The fix introduces comparison logic that validates received UE Security Capabilities against stored values, preserves legitimate values on mismatch, and logs such events for audit trails. If immediate upgrade is not possible, implement network-level compensating controls: restrict NGAP traffic to trusted gNBs only using firewall rules on the NGAP interface (typically port 38412 for SCTP), require mutual TLS authentication for gNB connections if your deployment supports it, and monitor NGAP traffic for PathSwitchRequest messages with anomalous UE Security Capability values. These controls mitigate the attack surface but do not fix the underlying validation gap; patching remains mandatory. See GitHub advisory GHSA-pwfh-mqp3-pqwj for detailed guidance.

Share

CVE-2026-44475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy