Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required.
AnalysisAI
Denial of service in OpenAirInterface5G 2.4.0 (nr-softmodem) allows unauthenticated remote attackers to crash an entire 5G base station by triggering a divide-by-zero in the E2SM-KPM RAN Function's PRB utilization calculation. By flooding E42 subscription requests through the FlexRIC iApp on port 36422/SCTP, an attacker forces consecutive identical PRB aggregate samples that produce a zero divisor, raising SIGFPE and interrupting service for all connected UEs. No public exploit identified at time of analysis, and EPSS probability is very low at 0.03%, but the unauthenticated network vector and total cell outage make this a high-impact availability flaw.
Technical ContextAI
OpenAirInterface5G is an open-source 5G NR software stack maintained by EURECOM; nr-softmodem is its gNB (base station) process. The flaw sits in the O-RAN E2 Service Model for Key Performance Measurement (E2SM-KPM), specifically fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c at lines 182 and 197, which compute Physical Resource Block utilization as a percentage by dividing by the delta between two consecutive total_prb_aggregate samples. The E2 interface uses SCTP (port 36422) and integrates with FlexRIC, the EURECOM near-real-time RIC and iApp framework. Root cause is CWE-369 (Divide By Zero): the code never validates that the denominator is non-zero before performing integer division, so two identical successive aggregate samples - easy to induce by forcing high-frequency KPM Indication reports - produce a SIGFPE that terminates the entire gNB process.
RemediationAI
No vendor-released patch identified at time of analysis; the references point only to the upstream OAI GitLab repository and a third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37232.md, with no fixed version cited. Operators should monitor https://gitlab.eurecom.fr/oai/openairinterface5g for an updated 2.4.x release or apply a local source fix that guards the divisor in fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() (return 0 or skip the report when the delta is zero) before rebuilding nr-softmodem. As compensating controls until an upstream patch lands: restrict SCTP port 36422 to known FlexRIC/RIC host IPs via host firewall or network ACLs (side effect: blocks legitimate non-allowlisted xApps), disable or unload the E2SM-KPM RAN Function if KPM telemetry is not required (side effect: loses PRB utilization metrics to the RIC), and rate-limit E42_RIC_SUBSCRIPTION_REQUESTs at the iApp boundary (side effect: may delay legitimate subscription churn during xApp restarts).
Same weakness CWE-369 – Divide By Zero
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today