CVE-2026-44474
Deferred Deferred - Pending Action
Concurrent Security Mode Command and N2 Handover Failure in Ella Core

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 Β§6.9.5.1 β€” it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). Concurrent Security Mode Command and N2 handover produce a KgNB mismatch between the UE and target gNB, causing the handover to fail. Requires a stalled gNB + re-registration race to trigger. This vulnerability is fixed in 1.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44474
EUVD
EUVD-2026-32561
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ella_networks ella_core to 1.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Ella Core, a 5G core designed for private networks, prior to version 1.10.0. It fails to enforce security rules on concurrent running of security procedures as defined in TS 33.501 Β§6.9.5.1. Specifically, it can send a NAS Security Mode Command while an N2 handover is still pending, or vice versa. This concurrency causes a KgNB mismatch between the User Equipment (UE) and the target gNB, which leads to handover failure.

Triggering this vulnerability requires a stalled gNB and a re-registration race condition.

The issue was fixed in version 1.10.0 of Ella Core.

Impact Analysis

This vulnerability can cause handover failures in 5G private networks using Ella Core prior to version 1.10.0. The KgNB mismatch between the UE and target gNB disrupts the handover process, potentially leading to degraded network performance or dropped connections during mobility events.

The CVSS base score of 3.7 indicates a low severity impact, with limited integrity and availability impact but no confidentiality impact.

Mitigation Strategies

The vulnerability is fixed in Ella Core version 1.10.0. Immediate mitigation involves upgrading to version 1.10.0 or later to ensure enforcement of security rules on concurrent running of security procedures.

Detection Guidance

This vulnerability involves concurrent execution of NAS Security Mode Command and N2 handover procedures, which leads to a KgNB key mismatch and handover failure. Detection would focus on monitoring for these concurrent procedures and failed handovers caused by key mismatches.

Since the vulnerability requires a stalled gNB and a re-registration race condition, network monitoring tools should look for abnormal handover failures and repeated re-registrations in the affected Ella Core versions prior to 1.10.0.

Specific commands are not provided in the available resources. However, network operators could use logs from the Ella Core system and gNBs to identify instances where a NAS Security Mode Command is sent while an N2 handover is still pending, or vice versa.

Commands might include querying logs or status of handover procedures and security commands on the network elements, but no explicit commands are detailed in the provided information.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart