CVE-2026-44473: Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse

May 11, 2026 (updated June 8, 2026)

A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE’s AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE’s logical NG-connection, then creates a GTP tunnel towards that radio.

References

github.com/advisories/GHSA-qfxw-v8qx-vj3v
github.com/ellanetworks/core/security/advisories/GHSA-qfxw-v8qx-vj3v
nvd.nist.gov/vuln/detail/CVE-2026-44473

Code Behaviors & Features

Detect and mitigate CVE-2026-44473 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →