Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse

GHSA-qfxw-v8qx-vj3v · CVE-2026-44473

Published May 11, 2026 · Modified Jun 9, 2026

Description

Summary

A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio.

Impact

Downlink user-plane traffic for the targeted UE is redirected to the attacker's radio.

Fix

UE context lookups are now scoped to the sending radio's SCTP association.

References

WEB https://github.com/ellanetworks/core/security/advisories/GHSA-qfxw-v8qx-vj3v
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44473
PACKAGE https://github.com/ellanetworks/core

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes