Skip to main content

FlexRIC CVE-2026-37231

HIGH
Integer Underflow (CWE-191)
2026-06-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 14:23 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.5 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields. After 65,530+ E42_SETUP_REQUESTs, the 16-bit counter wraps around and produces duplicate xapp_ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations.

AnalysisAI

Remote denial-of-service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the iApp component (TCP/36422) by exhausting a 16-bit xapp_id counter through repeated E42_SETUP_REQUEST messages. The integer wraparound produces duplicate xApp identifiers that violate internal data-structure invariants, terminating the RIC service. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.05%, though the attack is conceptually trivial to script.

Technical ContextAI

FlexRIC is the Mosaic5G/EURECOM open-source implementation of an O-RAN Near-Real-Time RAN Intelligent Controller (Near-RT RIC), which manages xApps that consume E2/E42 service-model interfaces over the iApp endpoint on port 36422. The flaw is a textbook CWE-191 (Integer Underflow/Wraparound) variant where xapp_id is allocated from a uint16_t counter (max 65,535) but propagated into uint32_t protocol fields, hiding the truncation at the API boundary. Once the counter rolls over after roughly 65,530 registrations, the iApp's internal map rejects the duplicate insertion and the process aborts, taking the RIC offline.

RemediationAI

No vendor-released patch identified at time of analysis - the upstream Mosaic5G GitLab repository and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37231.md should be monitored for a fixed release that widens the xapp_id allocator to uint32_t (or adds collision handling) consistent with the wire format. Until a patch ships, restrict TCP/36422 (iApp) to the trusted O-RAN management VLAN via host or perimeter firewall rules so untrusted hosts cannot initiate E42_SETUP_REQUEST sessions, accepting the trade-off that legitimate xApps must originate from the allowlisted subnet. As a secondary control, rate-limit new connections to port 36422 (for example via iptables hashlimit) to make the ~65k-request exhaustion economically slow and observable, recognizing this only delays rather than prevents the wraparound, and schedule periodic iApp restarts to reset the counter in long-running deployments.

Share

CVE-2026-37231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy