Skip to main content

FlexRIC CVE-2026-37234

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 mitre
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 14:24 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
8.2 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs. On disconnect, only the first registered xapp_id's resources are cleaned up; subsequent xapp_ids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak subscription state in the iApp, potentially causing resource exhaustion or state corruption over time.

AnalysisAI

Resource exhaustion and stale-state accumulation in FlexRIC v2.0.0 allows unauthenticated remote attackers to bind multiple xApp identifiers to a single SCTP connection via repeated E42_SETUP_REQUEST messages, where only the first xapp_id is cleaned up on disconnect. The remaining orphaned registrations and their subscriptions persist in the iApp, enabling progressive memory/state corruption that maps to the CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) high-availability impact. No public exploit identified at time of analysis and EPSS is very low (0.05%, 17th percentile), but the unauthenticated network reachability of the E2 termination makes this a meaningful availability risk for O-RAN testbeds running this build.

Technical ContextAI

FlexRIC is the EURECOM/Mosaic5G open-source near-real-time RAN Intelligent Controller (nRT-RIC) implementing the O-RAN E2 interface; it accepts xApp registrations over SCTP via the E42 service model setup procedure. The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption): the E42 setup handler associates each incoming E42_SETUP_REQUEST with a new xapp_id but uses the SCTP association lifecycle for cleanup, and that teardown path only releases the first xapp_id/subscription bound to the association. Because the iApp (internal application registry) keys subscription state by xapp_id rather than the underlying SCTP association, every additional E42_SETUP_REQUEST on the same socket creates an orphaned entry that survives the connection close. The advertised CPE (cpe:2.3:a:n/a:n/a) is a placeholder and does not enumerate FlexRIC specifically, so identification must come from the GitLab repository at mosaic5g/flexric.

RemediationAI

No vendor-released patch identified at time of analysis; the upstream GitLab project at https://gitlab.eurecom.fr/mosaic5g/flexric should be tracked for a fixed release, and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37234.md should be consulted for fix-commit details once available. As compensating controls, restrict the E2 SCTP listener to a dedicated management VLAN or IPsec-protected transport so only authenticated RAN elements can reach it (trade-off: requires configuring O-RAN E2 transport security and may break ad-hoc xApp testing); enforce per-source-IP connection rate limits and SCTP association caps at the host firewall to slow accumulation (trade-off: legitimate xApps that reconnect frequently may be throttled); and operationally monitor iApp subscription counts and process RSS, restarting the nRT-RIC on threshold breach (trade-off: restart drops live xApp sessions). For research deployments, simply binding the SCTP listener to loopback or a private interface eliminates remote reach entirely.

Share

CVE-2026-37234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy