Description
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. This vulnerability is fixed in 1.10.0.
Published: 2026-05-27
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 1.10.0, the 5G core software does not verify the UE Security Capabilities field in NGAP PathSwitchRequest messages against its locally stored values. This shortcoming allows a malicious gNB to send a single crafted PathSwitchRequest that overwrites the stored UE security capabilities for any user equipment with arbitrary values, potentially enabling unauthorized network access or weakening the security posture of the core.

Affected Systems

Ella Networks Core 5G implementations older than version 1.10.0 are affected. All deployments using these versions are susceptible to this capability bypass, regardless of the number of user equipments connected.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, and the vulnerability is not currently listed in the CISA KEV catalog, but an attacker who controls or compromises a gNB can exploit it via the air interface. Exploitation requires knowledge of the correct message format and the ability to inject a PathSwitchRequest; no remote code execution or privilege escalation on the core software itself is needed. The EPSS score is not available, so the current likelihood of exploitation is unknown.

Generated by OpenCVE AI on May 27, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ella Core to version 1.10.0 or later, which validates UE Security Capabilities in PathSwitchRequest messages
  • If an immediate upgrade is not feasible, configure the core to reject PathSwitchRequest messages from untrusted gNBs or enforce explicit validation of UC capabilities by an external policy engine
  • Enable logging and monitoring for unusual PathSwitchRequest activity, and block or quarantine any gNB reporting anomalous capability values

Generated by OpenCVE AI on May 27, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pwfh-mqp3-pqwj Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest
History

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Ellanetworks
Ellanetworks core
Vendors & Products Ellanetworks
Ellanetworks core

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. This vulnerability is fixed in 1.10.0.
Title Ella Core: UE Security Capability bypass on NGAP PathSwitchRequest
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Ellanetworks Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:15:27.767Z

Reserved: 2026-05-06T17:18:51.782Z

Link: CVE-2026-44475

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:39.360

Modified: 2026-05-27T20:03:09.937

Link: CVE-2026-44475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses