CVE-2026-44475
Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest
Description
## Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. ## Impact A gNB can corrupt Ella Core's stored UE security capabilities for a target UE. ## Fix The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.
How to fix CVE-2026-44475
To remediate CVE-2026-44475, upgrade the affected package to a fixed version below.
- —upgrade to 1.10.0 or later
Is CVE-2026-44475 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L |