EXECUTIVE SUMMARY:
CVE-2026-44473 with a CVSS score of 8.1 is a vulnerability in the Ella Core framework, specifically affecting versions less than 1.10.0, which allows an adjacent attacker to redirect downlink user-plane traffic for a targeted user equipment (UE) to their own radio. This occurs when a radio with a valid NG Setup sends a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID, and Ella Core fails to verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio. An attacker can exploit this vulnerability by sending a forged PDUSessionResourceSetupResponse, requiring only adjacent access to the targeted UE and NG Setup. By doing so, the attacker gains the capability to intercept and redirect downlink user-plane traffic for the targeted UE. If exploited, this vulnerability can lead to significant business impact and consequences, including potential data breaches, compromised network security, and disruption of critical services. The exploitation of this vulnerability requires the presence of a valid NG Setup and a targeted UE within the same SCTP association.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44473 with a CVSS score of 8.1 is a vulnerability in the Ella Core framework, specifically affecting versions less than 1.10.0, which allows an adjacent attacker to redirect downlink user-plane traffic for a targeted user equipment (UE) to their own radio. This occurs when a radio with a valid NG Setup sends a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID, and Ella Core fails to verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio. An attacker can exploit this vulnerability by sending a forged PDUSessionResourceSetupResponse, requiring only adjacent access to the targeted UE and NG Setup. By doing so, the attacker gains the capability to intercept and redirect downlink user-plane traffic for the targeted UE. If exploited, this vulnerability can lead to significant business impact and consequences, including potential data breaches, compromised network security, and disruption of critical services. The exploitation of this vulnerability requires the presence of a valid NG Setup and a targeted UE within the same SCTP association.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-qfxw-v8qx-vj3v