Skip to main content

FlexRIC CVE-2026-37233

HIGH
Reachable Assertion (CWE-617)
2026-06-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 18:30 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC.

AnalysisAI

Authorization bypass in FlexRIC v2.0.0 allows a malicious xApp to delete subscriptions belonging to other xApps connected to the same iApp instance, breaking multi-tenant isolation in O-RAN deployments. The root cause is a self-comparison bug in eq_xapp_ric_gen_id() that ignores the xApp identity dimension entirely. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%).

Technical ContextAI

FlexRIC is an open-source Near-Real-Time RAN Intelligent Controller (Near-RT RIC) developed by EURECOM as part of the Mosaic5G project, used in O-RAN research and 5G testbed deployments. The iApp component on TCP port 36422 brokers communication between multiple xApps (extended applications) and enforces isolation between them by xApp identity. The vulnerability is a CWE-617 'Reachable Assertion' / logic error in src/ric/iApp/xapp_ric_id.c where the equality predicate eq_xapp_ric_gen_id() compares m0->xapp_id against itself (m0->xapp_id) rather than against m1->xapp_id, causing the function to treat ric_gen_id collisions across different xApps as identity matches. This effectively removes the xApp dimension from the subscription ownership check, enabling cross-tenant subscription manipulation.

RemediationAI

No vendor-released patch identified at time of analysis; the EURECOM GitLab repository should be monitored for an upstream fix to src/ric/iApp/xapp_ric_id.c that corrects eq_xapp_ric_gen_id() to compare m0->xapp_id against m1->xapp_id. As an interim source-level mitigation, operators building FlexRIC from source can apply a one-line patch to that comparison and rebuild. Compensating controls include restricting TCP port 36422 (iApp) to a trusted management network via host or network firewall rules so that only vetted xApp hosts can connect (trade-off: this is only meaningful in deployments that do not already expose 36422 broadly, and does not protect against a malicious tenant whose xApp is legitimately onboarded), and operationally limiting RIC instances to a single trusted xApp tenant until a patched build is available (trade-off: defeats the multi-tenant use case the RIC is designed for). Review the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37233.md for any updated patch guidance.

Share

CVE-2026-37233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy