Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2_SETUP_REQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert(). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by simply completing an SCTP handshake and immediately disconnecting, without sending any E2AP message.
AnalysisAI
Remote denial-of-service in FlexRIC v2.0.0 near-RT RIC allows unauthenticated attackers to crash the controller (port 36421) by completing an SCTP handshake and immediately disconnecting without sending any E2AP message. The cleanup path triggers a reachable assert() because the code assumes an SCTP-association-to-E2-node mapping always exists. No public exploit identified at time of analysis, but the trigger is trivial and the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H) reflects a low-effort network attack with high availability impact.
Technical ContextAI
FlexRIC is the EURECOM/Mosaic5G open-source implementation of the O-RAN near-Real-Time RAN Intelligent Controller (near-RT RIC), which terminates the E2 interface that connects to E2 nodes (gNBs, eNBs, O-CUs/O-DUs) over SCTP, typically on port 36421. The E2AP setup procedure begins with an E2_SETUP_REQUEST sent over an established SCTP association. The root cause is CWE-617 (Reachable Assertion): the cleanup handler on SCTP teardown invokes assert() to validate an internal mapping between the SCTP association and an E2 node, but that mapping is only populated after an E2_SETUP_REQUEST is processed. When the peer disconnects after the SCTP four-way handshake but before any E2AP message is exchanged, the assertion fires and aborts the process. Affected upstream is hosted at gitlab.eurecom.fr/mosaic5g/flexric.
RemediationAI
No vendor-released patch identified at time of analysis; the NVD entry references the upstream Mosaic5G FlexRIC GitLab repository and a third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37220.md but no fixed version is cited in the provided inputs - monitor the upstream repo for a release that replaces the assert() with a defensive null check on the SCTP-to-E2-node mapping. As compensating controls, restrict SCTP reachability on port 36421 to known E2 node IPs via host or network ACLs (trade-off: requires maintaining an allowlist as E2 nodes are added or relocated), terminate the E2 plane on a dedicated isolated VLAN/VRF separated from management and external networks (trade-off: requires deployment-time network design), and consider supervising the RIC process with an auto-restart unit such as systemd Restart=always (trade-off: restores availability after a crash but does not prevent repeated DoS, and may mask the attack from operators unless paired with crash-loop alerting).
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33659
GHSA-wgcx-v4x6-3pp9