CVE-2026-44475: Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest

May 11, 2026 (updated June 8, 2026)

Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core’s stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest.

References

github.com/advisories/GHSA-pwfh-mqp3-pqwj
github.com/ellanetworks/core/security/advisories/GHSA-pwfh-mqp3-pqwj
nvd.nist.gov/vuln/detail/CVE-2026-44475

Code Behaviors & Features

Detect and mitigate CVE-2026-44475 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →