Moderate severityGHSA Advisory· Published May 11, 2026

Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest

CVE-2026-44475

Description

Summary

Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest.

Impact

A gNB can corrupt Ella Core's stored UE security capabilities for a target UE.

Fix

The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/ellanetworks/coreGo	< 1.10.0	1.10.0

Affected products

Ellanetworks/CoreGHSA
Range: < 1.10.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-pwfh-mqp3-pqwjghsaADVISORY
github.com/ellanetworks/core/security/advisories/GHSA-pwfh-mqp3-pqwjghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000