Severity by source
AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest.
Impact
A gNB can corrupt Ella Core's stored UE security capabilities for a target UE.
Fix
The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.
AnalysisAI
Malicious gNB can corrupt Ella Core's stored UE security capabilities by sending a crafted NGAP PathSwitchRequest message without validation, allowing integrity compromise of security parameters for any user equipment. The vulnerability affects Ella Core versions prior to 1.10.0 and requires access to the NGAP interface (adjacent network), but can degrade security posture by enabling capability downgrades or feature injection. No public exploit code or active exploitation has been reported.
Technical ContextAI
Ella Core is a 3GPP 5G core network implementation written in Go. The vulnerability exists in the PathSwitchRequest handler for the NGAP (NG Application Protocol), which manages communication between gNBs (5G base stations) and the core network. NGAP is a critical protocol for UE (User Equipment) mobility and handover management. UE Security Capabilities are cryptographic and algorithmic parameters negotiated during authentication that protect user data and signaling. The root cause is CWE-358 (Improperly Implemented Security Check for Standard), where the PathSwitchRequest handler accepts and applies received UE Security Capabilities without comparing them against previously stored, validated values. A malicious or compromised gNB can exploit this to overwrite legitimate security capabilities with weaker or attacker-controlled values, potentially downgrading encryption, integrity protection, or enabling feature injection attacks downstream.
RemediationAI
Upgrade Ella Core to version 1.10.0 or later immediately, as this is the patched version addressing the PathSwitchRequest validation bypass. The fix introduces comparison logic that validates received UE Security Capabilities against stored values, preserves legitimate values on mismatch, and logs such events for audit trails. If immediate upgrade is not possible, implement network-level compensating controls: restrict NGAP traffic to trusted gNBs only using firewall rules on the NGAP interface (typically port 38412 for SCTP), require mutual TLS authentication for gNB connections if your deployment supports it, and monitor NGAP traffic for PathSwitchRequest messages with anomalous UE Security Capability values. These controls mitigate the attack surface but do not fix the underlying validation gap; patching remains mandatory. See GitHub advisory GHSA-pwfh-mqp3-pqwj for detailed guidance.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32562
GHSA-pwfh-mqp3-pqwj