CVE-2026-44475
MEDIUM6.1EPSS 0.02%Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest
發布日:2026/5/11修改日:2026/5/11
描述
## Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. ## Impact A gNB can corrupt Ella Core's stored UE security capabilities for a target UE. ## Fix The PathSwitchRequest handler now compares the received UE Security Capabilities against Ella Core's locally stored values, preserves the stored values on mismatch, returns them in the PathSwitchRequestAcknowledge, and logs the event.
受影響套件(1)
- Go/github.com/ellanetworks/corefrom 0, < 1.10.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L |