Ella Core has handover failures during concurrent Security Mode Command

GHSA-mc29-hmx6-856q · CVE-2026-44474

Published May 11, 2026 · Modified Jun 9, 2026

Description

Summary

Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa).

Impact

Concurrent Security Mode Command and N2 handover produce a KgNB mismatch between the UE and target gNB, causing the handover to fail. Requires a stalled gNB + re-registration race to trigger.

Fix

Ella Core now enforces both rules from §6.9.5.1, blocking concurrent Security Mode Command and N2 handover procedures.

References

WEB https://github.com/ellanetworks/core/security/advisories/GHSA-mc29-hmx6-856q
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44474
PACKAGE https://github.com/ellanetworks/core

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes