FlexRIC CVE-2026-37235
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.
AnalysisAI
Denial of service in FlexRIC v2.0.0 allows remote unauthenticated attackers to impersonate any xApp by forging the xapp_id field in E42 messages sent to the iApp on port 36422, since the value is not bound to the sender's SCTP association. Misrouted responses corrupt the red-black tree state and can crash the targeted xApp, the RIC, or the iApp itself. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 9th percentile) reflecting limited weaponization to date.
Technical ContextAI
FlexRIC is the EURECOM/Mosaic5G open-source O-RAN Near-RT RIC implementation used to host xApps that interact with RAN components over E2/E4x interfaces transported on SCTP. The E42 control plane uses an xapp_id identifier to route responses between the iApp (port 36422) and registered xApps, stored in a red-black tree keyed by that ID. The validation routine valid_xapp_id() only range-checks the value rather than verifying it matches the SCTP association of the sender, which is the classic CWE-284 (Improper Access Control) flaw: the trust decision is based on attacker-supplied data instead of the authenticated transport-layer identity. Corrupting or replaying entries in this RB-tree produces state inconsistencies that propagate into the iApp and RIC dispatch logic.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied references - the linked GitLab repository and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37235.md should be monitored for a fixed FlexRIC release that binds xapp_id to the originating SCTP association inside valid_xapp_id(). As a compensating control, restrict reachability to the iApp SCTP listener on port 36422 to only known xApp hosts via network ACLs or O-RAN O1/O2 segmentation, which prevents external impersonation but does not stop a malicious or compromised xApp host from forging IDs; alternatively, place the RIC behind an SCTP-aware proxy that pins associations to expected xapp_id values, accepting the operational overhead of maintaining that mapping. Operators can also add monitoring/alerting on duplicate or unexpected xapp_id values in iApp logs so crashes are detected and recovered quickly until an upstream fix lands.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today