Skip to main content

FlexRIC CVE-2026-37229

HIGH
Reachable Assertion (CWE-617)
2026-06-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 14:22 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.5 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.

AnalysisAI

Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the near-RT RIC or iApp process by sending a single malformed byte over SCTP to ports 36421 or 36422. The flaw is a reachable assertion in e2ap_create_pdu() that fires before any protocol validation, affecting all three E2AP protocol versions (v1.01, v2.03, v3.01). No public exploit identified at time of analysis and EPSS is low (0.03%), but the trigger is trivial enough that public PoC could appear quickly.

Technical ContextAI

FlexRIC is EURECOM's open-source near-Real-Time RAN Intelligent Controller (near-RT RIC) implementation used in O-RAN deployments, communicating with E2 nodes over SCTP using the E2AP application protocol encoded with ASN.1 Packed Encoding Rules (PER). The root cause maps to CWE-617 (Reachable Assertion): the e2ap_create_pdu() routine uses an assert() to validate the result of PER decoding rather than returning an error, so any input that fails to decode - including a single 0x00 byte - terminates the process via SIGABRT. Because the assertion is reached before protocol-level checks, no valid E2AP handshake, session, or message structure is required. The CPE in NVD is the placeholder cpe:2.3:a:n/a:n/a, reflecting that FlexRIC is not yet enumerated in the official CPE dictionary.

RemediationAI

No vendor-released patch identified at time of analysis; the references point only to the upstream GitLab project and a third-party advisory rather than a fixed release tag, so operators should track https://gitlab.eurecom.fr/mosaic5g/flexric for an updated version and consult the advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37229.md. As a code-level workaround, replace the assert() in e2ap_create_pdu() with an error-return path that drops malformed PDUs and logs the event, which avoids the SIGABRT without functional impact. Operationally, restrict SCTP ports 36421 (near-RT RIC E2 termination) and 36422 (iApp) to a tightly scoped allowlist of legitimate E2 nodes and management peers via host firewall or SCTP-aware ACLs; this is the strongest compensating control but requires accurate inventory of E2 node addresses and will break any dynamic node onboarding. A supervisor such as systemd with Restart=always will reduce outage duration after a crash but does not prevent repeated re-crashing under sustained attack and may mask the incident.

Share

CVE-2026-37229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy