PT-2026-39669 · Go · Github.Com/Ellanetworks/Core
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-44475
CVSS v3.1
6.1
Medium
| Vector | AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L |
Summary
Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest.
Impact
A gNB can corrupt Ella Core's stored UE security capabilities for a target UE.
Fix
The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.
Fix
Improperly Implemented Security Check for Standard
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Ellanetworks/Core