PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44475 ellanetworks CVE debrief

Ella Core is a 5G core designed for private networks. Prior to version 1.10.0, the software fails to verify UE Security Capabilities received in NGAP PathSwitchRequest messages against locally stored values. A malicious gNB (gNodeB) can exploit this weakness to overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest message. This represents a violation of expected cryptographic protocol behavior where security capabilities should be validated against previously established parameters. The vulnerability stems from improper validation of security-relevant attributes during the handover procedure, specifically within the NGAP (NG Application Protocol) message handling. The CVSS 3.1 vector indicates attack complexity is low, requires no privileges, no user interaction, and can affect resources beyond the vulnerable component scope. The confidentiality impact is none, with low impacts to both integrity and availability. The weakness is categorized as CWE-358: Improperly Implemented Security Check for Standard.

Vendor
ellanetworks
Product
core
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations operating private 5G networks using Ella Core, telecommunications security teams, mobile network operators deploying private 5G infrastructure, and security researchers focused on 5G core network vulnerabilities.

Technical summary

Missing validation of UE Security Capabilities in NGAP PathSwitchRequest messages allows arbitrary overwrite by malicious gNBs.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Ella Core to version 1.10.0 or later to remediate this vulnerability.
  • Review NGAP message handling implementations for proper validation of UE Security Capabilities against locally stored values.
  • Implement monitoring for anomalous PathSwitchRequest patterns that may indicate exploitation attempts.
  • Audit gNB trust boundaries and consider additional authentication controls for NGAP signaling.
  • Verify integrity of UE security capability records in environments where Ella Core versions prior to 1.10.0 were deployed.

Evidence notes

CVE published 2026-05-27T17:16:39.360Z; modified 2026-05-27T20:03:09.937Z. Advisory source: GitHub Security Advisory GHSA-pwfh-mqp3-pqwj. Fix version: 1.10.0.

Official resources

2026-05-27