CVE-2026-44473
HighSummary
Ella Core, designed for private 5G networks, prior to version 1.10.0, allowed a radio with a valid NG Setup to send forged PDUSessionResourceSetupResponse messages. The system did not verify if the message arrived over the correct NG connection, leading to the creation of a GTP tunnel towards that radio.
Risk Assessment
This vulnerability could lead to unauthorized access to network resources, posing a serious threat to the security of private 5G networks.
Recommendation
It is recommended to upgrade to version 1.10.0 or later to mitigate this vulnerability.
Original NVD description (English source)
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio. This vulnerability is fixed in 1.10.0.

