Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.
AnalysisAI
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the near-RT RIC or iApp process by sending a single malformed byte over SCTP to ports 36421 or 36422. The flaw is a reachable assertion in e2ap_create_pdu() that fires before any protocol validation, affecting all three E2AP protocol versions (v1.01, v2.03, v3.01). No public exploit identified at time of analysis and EPSS is low (0.03%), but the trigger is trivial enough that public PoC could appear quickly.
Technical ContextAI
FlexRIC is EURECOM's open-source near-Real-Time RAN Intelligent Controller (near-RT RIC) implementation used in O-RAN deployments, communicating with E2 nodes over SCTP using the E2AP application protocol encoded with ASN.1 Packed Encoding Rules (PER). The root cause maps to CWE-617 (Reachable Assertion): the e2ap_create_pdu() routine uses an assert() to validate the result of PER decoding rather than returning an error, so any input that fails to decode - including a single 0x00 byte - terminates the process via SIGABRT. Because the assertion is reached before protocol-level checks, no valid E2AP handshake, session, or message structure is required. The CPE in NVD is the placeholder cpe:2.3:a:n/a:n/a, reflecting that FlexRIC is not yet enumerated in the official CPE dictionary.
RemediationAI
No vendor-released patch identified at time of analysis; the references point only to the upstream GitLab project and a third-party advisory rather than a fixed release tag, so operators should track https://gitlab.eurecom.fr/mosaic5g/flexric for an updated version and consult the advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37229.md. As a code-level workaround, replace the assert() in e2ap_create_pdu() with an error-return path that drops malformed PDUs and logs the event, which avoids the SIGABRT without functional impact. Operationally, restrict SCTP ports 36421 (near-RT RIC E2 termination) and 36422 (iApp) to a tightly scoped allowlist of legitimate E2 nodes and management peers via host firewall or SCTP-aware ACLs; this is the strongest compensating control but requires accurate inventory of E2 node addresses and will break any dynamic node onboarding. A supervisor such as systemd with Restart=always will reduce outage duration after a crash but does not prevent repeated re-crashing under sustained attack and may mask the incident.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today