Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest

GHSA-pwfh-mqp3-pqwj · CVE-2026-44475

Published May 11, 2026 · Modified Jun 9, 2026

Description

Summary

Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest.

Impact

A gNB can corrupt Ella Core's stored UE security capabilities for a target UE.

Fix

The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.

References

WEB https://github.com/ellanetworks/core/security/advisories/GHSA-pwfh-mqp3-pqwj
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44475
PACKAGE https://github.com/ellanetworks/core

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes