CVE-2026-44475
Deferred Deferred - Pending Action
Ella Core UE Security Capabilities Overwrite via PathSwitchRequest

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. This vulnerability is fixed in 1.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44475
EUVD
EUVD-2026-32562
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ella_networks ella_core to 1.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Ella Core is a 5G core designed for private networks. Before version 1.10.0, it did not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values.

This means a malicious gNB (next generation NodeB) can send a specially crafted PathSwitchRequest message to overwrite the stored UE security capabilities for any UE with arbitrary values.

This vulnerability was fixed in version 1.10.0.

Impact Analysis

The vulnerability allows a malicious gNB to overwrite the stored UE security capabilities with arbitrary values.

According to the CVSS v3.1 score of 6.1, the impact includes low integrity and low availability impacts, meaning an attacker could potentially alter security settings and disrupt service availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade Ella Core to version 1.10.0 or later, where the issue has been fixed.

Detection Guidance

This vulnerability involves a malicious gNB sending a crafted NGAP PathSwitchRequest message to overwrite stored UE security capabilities in Ella Core versions prior to 1.10.0.

Detection can focus on monitoring NGAP PathSwitchRequest messages for unusual or unexpected UE Security Capabilities values that differ from locally stored values.

Since the fix includes logging mismatches between received and stored UE Security Capabilities, reviewing logs for such events can help detect exploitation attempts.

Specific commands are not provided in the available resources, but network monitoring tools or packet capture utilities (e.g., tcpdump or Wireshark) can be used to capture and analyze NGAP PathSwitchRequest messages for anomalies.

For example, using tcpdump to capture NGAP traffic on the relevant interface and port could be done with a command like: tcpdump -i <interface> -w capture.pcap port <NGAP_port>

Subsequent analysis of the capture file with Wireshark or a custom script could identify PathSwitchRequest messages with UE Security Capabilities that do not match expected values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart