CVE-2026-44473
Ella Core: UE Downlink Redirection via Forged PDUSessionResourceSetupResponse
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
4th
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio. This vulnerability is fixed in 1.10.0.
| CWE | CWE-358 CWE-863 |
| Vendor | ellanetworks |
| Product | core |
| Published | May 27, 2026 |
| Last Updated | May 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for ellanetworks core
Be the first to know when new high vulnerabilities affecting ellanetworks core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High
Affected Versions
ellanetworks / core
< 1.10.0