Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.
AnalysisAI
Remote denial-of-service in FlexRIC v2.0.0 allows unauthenticated attackers to crash near-RT RIC, iApp, E2 Agent, or xApp processes by sending a single oversized SCTP message (>=32,768 bytes) to ports 36421 or 36422. The flaw is a reachable assertion in e2ap_recv_sctp_msg() that triggers SIGABRT in debug builds, while NDEBUG release builds face a signed-to-unsigned integer overflow leading to potential out-of-bounds reads. No public exploit identified at time of analysis and EPSS probability is very low (0.04%), but the trivial preconditions make this a meaningful availability risk for O-RAN deployments.
Technical ContextAI
FlexRIC is EURECOM's open-source implementation of the O-RAN near-real-time RAN Intelligent Controller (near-RT RIC) and associated E2 agents/xApps, which communicate over SCTP using the E2AP protocol on standard ports 36421 (E2) and 36422 (A1/management variants). The vulnerable code path lives in src/lib/ep/e2ap_ep.c where the function allocates a fixed 32KB stack/heap receive buffer and uses assert(rc < len) to validate the byte count returned by sctp_recvmsg(). The CWE-617 (Reachable Assertion) root cause means a defensive check intended to catch programmer error is reachable by attacker-controlled network input, and the secondary defect - a signed-to-unsigned conversion when assertions are compiled out - can transform the crash into an out-of-bounds read of adjacent memory.
RemediationAI
No vendor-released patch identified at time of analysis; operators should monitor the upstream repository at https://gitlab.eurecom.fr/mosaic5g/flexric and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37228.md for a fixed release. Until a patch is available, restrict SCTP access on ports 36421 and 36422 to a dedicated management VLAN or IPsec tunnel between known RIC, E2 agent, and xApp peers (this is the standard O-RAN deployment posture and has minimal side effects); add upstream rate-limiting or size-based filtering at an SCTP-aware middlebox to drop messages above 32KB (note that legitimate E2AP PDUs are typically well below this threshold, so false positives should be rare); and as a source-code workaround, locally patch e2ap_recv_sctp_msg() to replace the assert with a bounded length check that discards oversized datagrams and continues the receive loop, accepting the maintenance cost of carrying a downstream patch.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today