CVE-2026-44474 ellanetworks CVE debrief

Who should care

Operators of private 5G networks using Ella Core; telecommunications security engineers; 5G core infrastructure administrators

Technical summary

Ella Core versions before 1.10.0 fail to enforce mutual exclusion between NAS Security Mode Command and N2 handover procedures as required by 3GPP TS 33.501 §6.9.5.1. When both procedures execute concurrently, the UE and target gNB derive mismatched KgNB keys, causing handover failure. The vulnerability requires specific timing: a stalled gNB state combined with UE re-registration race. This is a protocol state machine flaw rather than cryptographic weakness. The fix in 1.10.0 adds proper security procedure sequencing enforcement.

Defensive priority

LOW

Recommended defensive actions

• Upgrade Ella Core to version 1.10.0 or later to resolve the KgNB mismatch vulnerability
• Monitor gNB health to detect stalled states that could contribute to race condition triggering
• Review 3GPP TS 33.501 §6.9.5.1 implementation for additional security procedure ordering constraints
• Validate handover success rates in private 5G deployments as potential indicator of exploitation attempts

Evidence notes

Official CVE record published 2026-05-27. Advisory confirms fix in Ella Core 1.10.0. CWE-358 (Improperly Implemented Security Check for Standard) assigned. CVSS vector AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L reflects adjacent access, high complexity, and low integrity/availability impact.

Official resources