FlexRIC CVE-2026-37234
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs. On disconnect, only the first registered xapp_id's resources are cleaned up; subsequent xapp_ids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak subscription state in the iApp, potentially causing resource exhaustion or state corruption over time.
AnalysisAI
Resource exhaustion and stale-state accumulation in FlexRIC v2.0.0 allows unauthenticated remote attackers to bind multiple xApp identifiers to a single SCTP connection via repeated E42_SETUP_REQUEST messages, where only the first xapp_id is cleaned up on disconnect. The remaining orphaned registrations and their subscriptions persist in the iApp, enabling progressive memory/state corruption that maps to the CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) high-availability impact. No public exploit identified at time of analysis and EPSS is very low (0.05%, 17th percentile), but the unauthenticated network reachability of the E2 termination makes this a meaningful availability risk for O-RAN testbeds running this build.
Technical ContextAI
FlexRIC is the EURECOM/Mosaic5G open-source near-real-time RAN Intelligent Controller (nRT-RIC) implementing the O-RAN E2 interface; it accepts xApp registrations over SCTP via the E42 service model setup procedure. The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption): the E42 setup handler associates each incoming E42_SETUP_REQUEST with a new xapp_id but uses the SCTP association lifecycle for cleanup, and that teardown path only releases the first xapp_id/subscription bound to the association. Because the iApp (internal application registry) keys subscription state by xapp_id rather than the underlying SCTP association, every additional E42_SETUP_REQUEST on the same socket creates an orphaned entry that survives the connection close. The advertised CPE (cpe:2.3:a:n/a:n/a) is a placeholder and does not enumerate FlexRIC specifically, so identification must come from the GitLab repository at mosaic5g/flexric.
RemediationAI
No vendor-released patch identified at time of analysis; the upstream GitLab project at https://gitlab.eurecom.fr/mosaic5g/flexric should be tracked for a fixed release, and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37234.md should be consulted for fix-commit details once available. As compensating controls, restrict the E2 SCTP listener to a dedicated management VLAN or IPsec-protected transport so only authenticated RAN elements can reach it (trade-off: requires configuring O-RAN E2 transport security and may break ad-hoc xApp testing); enforce per-source-IP connection rate limits and SCTP association caps at the host firewall to slow accumulation (trade-off: legitimate xApps that reconnect frequently may be throttled); and operationally monitor iApp subscription counts and process RSS, restarting the nRT-RIC on threshold breach (trade-off: restart drops live xApp sessions). For research deployments, simply binding the SCTP listener to loopback or a private interface eliminates remote reach entirely.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today