CVE-2026-44474 - Vulnerability Details

- Ella Core: Handover failures during concurrent Security Mode Command

Description

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). Concurrent Security Mode Command and N2 handover produce a KgNB mismatch between the UE and target gNB, causing the handover to fail. Requires a stalled gNB + re-registration race to trigger. This vulnerability is fixed in 1.10.0.

Published: 2026-05-27

Score: 3.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when Ella Core fails to enforce security rules for concurrent execution of security procedures defined in TS 33.501 §6.9.5.1. This flaw is a race condition (CWE-358). This allows a NAS Security Mode Command to be sent while an N2 handover is still pending, or vice versa. The resulting KgNB mismatch between the UE and the target gNB causes the handover to fail, leading to disrupted connectivity for affected UEs.

Affected Systems

Ella Core deployments built with any version prior to 1.10.0 are affected. The issue is present in the private‑network 5G core software released by Ellanetworks.

Risk and Exploitability

The CVSS score of 3.7 indicates a moderate impact. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalogue. The attack requires a specific race condition involving a stalled gNB and a UE re‑registration, implying a higher expertise level and a low probability of exploitation under normal operational conditions. The likely attack vector is an internal race condition rather than a remote attack surface. Consequently, the overall risk to organizations is considered moderate but warrants remediation to prevent potential service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ellanetworks

core

affected

Version	Status	Constraints
`< 1.10.0`	affected	—

No data.

Vendor Product Confidence Versions

Ellanetworks

Core

100%

Version	Status	Scheme	Platform
`[0,1.10.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑supplied upgrade to Ella Core version 1.10.0 or later, which includes the fix for concurrent security procedure enforcement.
If an upgrade is impractical, configure the network to prevent a Security Mode Command from being issued while an N2 handover is in progress, thereby serializing the two procedures and eliminating the KgNB mismatch condition.
Enable logging of handover failures and KgNB mismatch events so that any residual failures can be detected and investigated promptly.

Generated by OpenCVE AI on May 27, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-mc29-hmx6-856q	Ella Core has handover failures during concurrent Security Mode Command

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00134.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ellanetworks/core/security/advisories/GHSA-mc29-hmx6-856q

History

Thu, 28 May 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ellanetworks Ellanetworks core
Vendors & Products		Ellanetworks Ellanetworks core

Wed, 27 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). Concurrent Security Mode Command and N2 handover produce a KgNB mismatch between the UE and target gNB, causing the handover to fail. Requires a stalled gNB + re-registration race to trigger. This vulnerability is fixed in 1.10.0.
Title		Ella Core: Handover failures during concurrent Security Mode Command
Weaknesses		CWE-358
References		https://github.com/ellanetworks/core/security/advisories/GHSA-mc29-hmx6-856q
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Ellanetworks Core

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T15:14:49.390Z

Updated: 2026-05-27T17:23:14.076Z

Reserved: 2026-05-06T17:18:51.782Z

Link: CVE-2026-44474

Vulnrichment

Updated: 2026-05-27T17:22:55.996Z

NVD

Status : Deferred

Published: 2026-05-27T17:16:39.220

Modified: 2026-06-17T10:50:41.797

Link: CVE-2026-44474

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses

CWE-358
Improperly Implemented Security Check for Standard

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object