CVE-2026-44475

MEDIUM6.1EPSS 0.02%

Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest

Published: 5/11/2026Modified: 5/11/2026

Description

## Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. ## Impact A gNB can corrupt Ella Core's stored UE security capabilities for a target UE. ## Fix The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.

Affected packages (1)

Go/github.com/ellanetworks/corefrom 0, < 1.10.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

References (2)

PATCHhttps://github.com/ellanetworks/core
WEBhttps://github.com/ellanetworks/core/security/advisories/GHSA-pwfh-mqp3-pqwj