FlexRIC CVE-2026-37231
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields. After 65,530+ E42_SETUP_REQUESTs, the 16-bit counter wraps around and produces duplicate xapp_ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations.
AnalysisAI
Remote denial-of-service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the iApp component (TCP/36422) by exhausting a 16-bit xapp_id counter through repeated E42_SETUP_REQUEST messages. The integer wraparound produces duplicate xApp identifiers that violate internal data-structure invariants, terminating the RIC service. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.05%, though the attack is conceptually trivial to script.
Technical ContextAI
FlexRIC is the Mosaic5G/EURECOM open-source implementation of an O-RAN Near-Real-Time RAN Intelligent Controller (Near-RT RIC), which manages xApps that consume E2/E42 service-model interfaces over the iApp endpoint on port 36422. The flaw is a textbook CWE-191 (Integer Underflow/Wraparound) variant where xapp_id is allocated from a uint16_t counter (max 65,535) but propagated into uint32_t protocol fields, hiding the truncation at the API boundary. Once the counter rolls over after roughly 65,530 registrations, the iApp's internal map rejects the duplicate insertion and the process aborts, taking the RIC offline.
RemediationAI
No vendor-released patch identified at time of analysis - the upstream Mosaic5G GitLab repository and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37231.md should be monitored for a fixed release that widens the xapp_id allocator to uint32_t (or adds collision handling) consistent with the wire format. Until a patch ships, restrict TCP/36422 (iApp) to the trusted O-RAN management VLAN via host or perimeter firewall rules so untrusted hosts cannot initiate E42_SETUP_REQUEST sessions, accepting the trade-off that legitimate xApps must originate from the allowlisted subnet. As a secondary control, rate-limit new connections to port 36422 (for example via iptables hashlimit) to make the ~65k-request exhaustion economically slow and observable, recognizing this only delays rather than prevents the wraparound, and schedule periodic iApp restarts to reset the counter in long-running deployments.
Same weakness CWE-191 – Integer Underflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today