Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse
Description
Published to the GitHub Advisory Database
May 11, 2026
Reviewed
May 11, 2026
Published by the National Vulnerability Database
May 27, 2026
Last updated
Jun 8, 2026
Summary
A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio.
Impact
Downlink user-plane traffic for the targeted UE is redirected to the attacker's radio.
Fix
UE context lookups are now scoped to the sending radio's SCTP association.
References