FlexRIC CVE-2026-37226
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the iApp process (port 36422) by sending a subscription request with an arbitrary global_e2_node_id.
AnalysisAI
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated network attackers to crash the iApp process by sending an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node, triggering either a SIGABRT (Debug builds via assert) or SIGSEGV (Release builds via NULL pointer dereference) on TCP port 36422. No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and trivial trigger conditions make this a meaningful availability risk for any exposed FlexRIC RAN Intelligent Controller deployment.
Technical ContextAI
FlexRIC is EURECOM's open-source flexible RAN Intelligent Controller for 5G/O-RAN testbeds, implementing the E2 interface used between the RIC and E2 nodes (gNBs, CU/DU). The vulnerability sits in the iApp's E2AP subscription handling path: when an E42_RIC_SUBSCRIPTION_REQUEST arrives carrying a global_e2_node_id, the iApp performs a lookup that returns NULL if no matching node is registered. CWE-476 (NULL Pointer Dereference) applies because the returned pointer is then used without a null check - assert() catches it loudly in Debug builds (SIGABRT), while Release builds proceed to dereference and crash with SIGSEGV. The default listener on TCP/36422 corresponds to the E2AP interface port commonly bound by RIC implementations.
RemediationAI
No vendor-released patch identified at time of analysis; the only references are the upstream GitLab repository and a third-party advisory, neither of which cites a fixed release tag. Operators should monitor https://gitlab.eurecom.fr/mosaic5g/flexric for an updated release or commit addressing the missing NULL check on the E2 node lookup in the E42_RIC_SUBSCRIPTION_REQUEST handler, and may apply a local source patch that validates the lookup result before dereference. As compensating controls, restrict TCP/36422 to known E2 node IP addresses via host firewall or network ACL (side effect: any legitimate but unregistered E2 node will be unable to subscribe and must be allow-listed explicitly), deploy FlexRIC only on isolated management/RAN VLANs rather than routable networks, and run the iApp under a process supervisor that auto-restarts on SIGSEGV/SIGABRT to limit outage duration (side effect: repeated crashes may mask the underlying attack and consume CPU). Avoid running Debug builds in production since assert() turns the crash into an unconditional abort.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today