Skip to main content

FlexRIC CVE-2026-37230

HIGH
NULL Pointer Dereference (CWE-476)
2026-06-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 18:30 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.

AnalysisAI

Remote denial-of-service in FlexRIC v2.0.0 near-RT RIC allows unauthenticated attackers to crash the controller process by sending a RIC_INDICATION message containing an unregistered ran_func_id, which causes the registry lookup to return NULL and trigger either an assertion failure (SIGABRT in Debug builds) or a NULL pointer dereference (SIGSEGV in Release builds). The flaw is reachable over the network on port 36421 with no authentication or user interaction, though EPSS remains low at 0.04% and there is no public exploit identified at time of analysis. KEV does not list this issue.

Technical ContextAI

FlexRIC is EURECOM's open-source implementation of the O-RAN near-Real-Time RAN Intelligent Controller (near-RT RIC), a component of the O-RAN architecture that hosts xApps and exchanges E2 service model messages (such as RIC_INDICATION) with E2 nodes (gNBs/eNBs) over SCTP, typically on port 36421. The vulnerability is a classic CWE-476 NULL Pointer Dereference: the dispatcher resolves the ran_func_id field of an inbound RIC_INDICATION against an internal registry of registered RAN functions, but does not validate that the lookup succeeded before dereferencing the returned pointer. Debug builds catch the NULL via assert(), terminating with SIGABRT; Release builds (which compile out asserts) instead dereference NULL and crash with SIGSEGV. The provided CPE string is a placeholder ('cpe:2.3:a:n/a:n/a') and does not authoritatively identify the package, but the GitLab reference confirms the affected codebase is mosaic5g/flexric.

RemediationAI

No vendor-released patch identified at time of analysis - the only references are the upstream GitLab repository and a third-party advisory, neither of which lists a fixed FlexRIC version, so operators should monitor https://gitlab.eurecom.fr/mosaic5g/flexric for a post-2.0.0 release and the advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37230.md for upstream commit references. Until a fix lands, the most effective compensating control is strict network segmentation of the E2 interface (SCTP/36421) so that only trusted E2 nodes (authenticated gNBs/eNBs in the operator's RAN) can reach the near-RT RIC - enforce this via host firewall (e.g., iptables/nftables rules limiting source IPs) or a dedicated VLAN/VRF for the E2 plane, with the trade-off that misconfigured allowlists can break legitimate E2 setup. As an interim defensive build option, compiling FlexRIC in Debug mode converts the bug into a faster, more obvious assertion failure rather than a SIGSEGV, which may aid detection but does not prevent the crash; combine with a process supervisor (systemd Restart=on-failure) to reduce downtime, accepting that an attacker can still loop the crash. A local source patch adding a NULL check on the ran_func_id registry lookup before dereference is a low-risk hot-fix for operators able to build from source.

Share

CVE-2026-37230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy