CVE-2026-44473
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ella_networks | core | to 1.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-358 | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Ella Core, a 5G core designed for private networks. Before version 1.10.0, a radio device with a valid NG Setup could send a forged PDUSessionResourceSetupResponse message that includes any UE's AMF-UE-NGAP-ID. Ella Core does not verify whether this message actually arrived on the SCTP association linked to that UE's logical NG-connection. As a result, the system creates a GTP tunnel towards the radio based on the forged message.
This flaw allows an attacker to impersonate or interfere with other user equipment sessions by exploiting the lack of verification in message origin and association.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized creation of GTP tunnels towards radios, potentially allowing attackers to interfere with or hijack user equipment sessions within the 5G private network.
This can result in denial of service (as indicated by the CVSS score's high impact on availability), and limited confidentiality impact, meaning some data exposure or session disruption could occur.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Ella Core to version 1.10.0 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to redirect downlink user-plane traffic of a UE to a malicious radio by exploiting improper verification of message origin. While the primary impact is on availability, there is also a secondary impact on confidentiality due to potential unauthorized access to user data.
Such unauthorized redirection and potential interception of user data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require ensuring confidentiality and integrity of personal and sensitive data. The failure to properly authorize and verify message sources represents a security control weakness that may violate these standards' requirements for protecting user information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a malicious radio sending a forged PDUSessionResourceSetupResponse message with any UE's AMF-UE-NGAP-ID over an SCTP association. Detection would involve monitoring SCTP associations and NGAP messages for anomalies, such as PDUSessionResourceSetupResponse messages arriving on unexpected SCTP associations or from radios that do not correspond to the UE's logical NG-connection.
Commands to detect this could include capturing and inspecting SCTP traffic and NGAP messages using network analysis tools like tshark or tcpdump. For example, you could use tshark to filter SCTP packets and analyze NGAP message contents to verify the source SCTP association matches the UE context.
- tshark -i <interface> -Y "sctp && ngap" -V
- tcpdump -i <interface> -w capture.pcap sctp
After capturing, analyze the NGAP PDUSessionResourceSetupResponse messages to check if the AMF-UE-NGAP-ID matches the SCTP association from which the message was received. Any mismatch could indicate exploitation attempts.