FlexRIC CVE-2026-37230
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.
AnalysisAI
Remote denial-of-service in FlexRIC v2.0.0 near-RT RIC allows unauthenticated attackers to crash the controller process by sending a RIC_INDICATION message containing an unregistered ran_func_id, which causes the registry lookup to return NULL and trigger either an assertion failure (SIGABRT in Debug builds) or a NULL pointer dereference (SIGSEGV in Release builds). The flaw is reachable over the network on port 36421 with no authentication or user interaction, though EPSS remains low at 0.04% and there is no public exploit identified at time of analysis. KEV does not list this issue.
Technical ContextAI
FlexRIC is EURECOM's open-source implementation of the O-RAN near-Real-Time RAN Intelligent Controller (near-RT RIC), a component of the O-RAN architecture that hosts xApps and exchanges E2 service model messages (such as RIC_INDICATION) with E2 nodes (gNBs/eNBs) over SCTP, typically on port 36421. The vulnerability is a classic CWE-476 NULL Pointer Dereference: the dispatcher resolves the ran_func_id field of an inbound RIC_INDICATION against an internal registry of registered RAN functions, but does not validate that the lookup succeeded before dereferencing the returned pointer. Debug builds catch the NULL via assert(), terminating with SIGABRT; Release builds (which compile out asserts) instead dereference NULL and crash with SIGSEGV. The provided CPE string is a placeholder ('cpe:2.3:a:n/a:n/a') and does not authoritatively identify the package, but the GitLab reference confirms the affected codebase is mosaic5g/flexric.
RemediationAI
No vendor-released patch identified at time of analysis - the only references are the upstream GitLab repository and a third-party advisory, neither of which lists a fixed FlexRIC version, so operators should monitor https://gitlab.eurecom.fr/mosaic5g/flexric for a post-2.0.0 release and the advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37230.md for upstream commit references. Until a fix lands, the most effective compensating control is strict network segmentation of the E2 interface (SCTP/36421) so that only trusted E2 nodes (authenticated gNBs/eNBs in the operator's RAN) can reach the near-RT RIC - enforce this via host firewall (e.g., iptables/nftables rules limiting source IPs) or a dedicated VLAN/VRF for the E2 plane, with the trade-off that misconfigured allowlists can break legitimate E2 setup. As an interim defensive build option, compiling FlexRIC in Debug mode converts the bug into a faster, more obvious assertion failure rather than a SIGSEGV, which may aid detection but does not prevent the crash; combine with a process supervisor (systemd Restart=on-failure) to reduce downtime, accepting that an attacker can still loop the crash. A local source patch adding a NULL check on the ran_func_id registry lookup before dereference is a low-risk hot-fix for operators able to build from source.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today