PT-2026-39667 · Ellanetworks+1 · Core+1

Sjna0414

Published

2026-05-11

Updated

2026-05-27

CVE-2026-44473

CVSS v3.1

7.1

High

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Name of the Vulnerable Software and Affected Versions Ella Core versions prior to 1.10.0

Description A radio with a valid NG Setup can send a forged 'PDUSessionResourceSetupResponse' carrying any UE's AMF-UE-NGAP-ID. The software fails to verify if the message arrived on the SCTP association bound to the logical NG-connection of that UE, subsequently creating a GTP tunnel towards the radio. This results in the redirection of downlink user-plane traffic for the targeted UE to the attacker's radio.

Recommendations Update to version 1.10.0.

Fix

Incorrect Authorization

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-358

Related Identifiers

CVE-2026-44473

GHSA-QFXW-V8QX-VJ3V

Affected Products

Core

Github.Com/Ellanetworks/Core

PT-2026-39667 · Ellanetworks+1 · Core+1

CVE-2026-44473

Weakness Enumeration

Related Identifiers

Affected Products

References · 5