Skip to main content

FlexRIC CVE-2026-37228

HIGH
Reachable Assertion (CWE-617)
2026-06-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 14:22 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.5 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.

AnalysisAI

Remote denial-of-service in FlexRIC v2.0.0 allows unauthenticated attackers to crash near-RT RIC, iApp, E2 Agent, or xApp processes by sending a single oversized SCTP message (>=32,768 bytes) to ports 36421 or 36422. The flaw is a reachable assertion in e2ap_recv_sctp_msg() that triggers SIGABRT in debug builds, while NDEBUG release builds face a signed-to-unsigned integer overflow leading to potential out-of-bounds reads. No public exploit identified at time of analysis and EPSS probability is very low (0.04%), but the trivial preconditions make this a meaningful availability risk for O-RAN deployments.

Technical ContextAI

FlexRIC is EURECOM's open-source implementation of the O-RAN near-real-time RAN Intelligent Controller (near-RT RIC) and associated E2 agents/xApps, which communicate over SCTP using the E2AP protocol on standard ports 36421 (E2) and 36422 (A1/management variants). The vulnerable code path lives in src/lib/ep/e2ap_ep.c where the function allocates a fixed 32KB stack/heap receive buffer and uses assert(rc < len) to validate the byte count returned by sctp_recvmsg(). The CWE-617 (Reachable Assertion) root cause means a defensive check intended to catch programmer error is reachable by attacker-controlled network input, and the secondary defect - a signed-to-unsigned conversion when assertions are compiled out - can transform the crash into an out-of-bounds read of adjacent memory.

RemediationAI

No vendor-released patch identified at time of analysis; operators should monitor the upstream repository at https://gitlab.eurecom.fr/mosaic5g/flexric and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37228.md for a fixed release. Until a patch is available, restrict SCTP access on ports 36421 and 36422 to a dedicated management VLAN or IPsec tunnel between known RIC, E2 agent, and xApp peers (this is the standard O-RAN deployment posture and has minimal side effects); add upstream rate-limiting or size-based filtering at an SCTP-aware middlebox to drop messages above 32KB (note that legitimate E2AP PDUs are typically well below this threshold, so false positives should be rare); and as a source-code workaround, locally patch e2ap_recv_sctp_msg() to replace the assert with a bounded length check that discards oversized datagrams and continues the receive loop, accepting the maintenance cost of carrying a downstream patch.

Share

CVE-2026-37228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy