Skip to main content

FlexRIC CVE-2026-37235

HIGH
Improper Access Control (CWE-284)
2026-06-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 17:25 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
7.5 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.

AnalysisAI

Denial of service in FlexRIC v2.0.0 allows remote unauthenticated attackers to impersonate any xApp by forging the xapp_id field in E42 messages sent to the iApp on port 36422, since the value is not bound to the sender's SCTP association. Misrouted responses corrupt the red-black tree state and can crash the targeted xApp, the RIC, or the iApp itself. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 9th percentile) reflecting limited weaponization to date.

Technical ContextAI

FlexRIC is the EURECOM/Mosaic5G open-source O-RAN Near-RT RIC implementation used to host xApps that interact with RAN components over E2/E4x interfaces transported on SCTP. The E42 control plane uses an xapp_id identifier to route responses between the iApp (port 36422) and registered xApps, stored in a red-black tree keyed by that ID. The validation routine valid_xapp_id() only range-checks the value rather than verifying it matches the SCTP association of the sender, which is the classic CWE-284 (Improper Access Control) flaw: the trust decision is based on attacker-supplied data instead of the authenticated transport-layer identity. Corrupting or replaying entries in this RB-tree produces state inconsistencies that propagate into the iApp and RIC dispatch logic.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied references - the linked GitLab repository and the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37235.md should be monitored for a fixed FlexRIC release that binds xapp_id to the originating SCTP association inside valid_xapp_id(). As a compensating control, restrict reachability to the iApp SCTP listener on port 36422 to only known xApp hosts via network ACLs or O-RAN O1/O2 segmentation, which prevents external impersonation but does not stop a malicious or compromised xApp host from forging IDs; alternatively, place the RIC behind an SCTP-aware proxy that pins associations to expected xapp_id values, accepting the operational overhead of maintaining that mapping. Operators can also add monitoring/alerting on duplicate or unexpected xapp_id values in iApp logs so crashes are detected and recovered quickly until an upstream fix lands.

Share

CVE-2026-37235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy