Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 crashes when receiving a RIC_SUBSCRIPTION_RESPONSE with an unknown ric_id that has no corresponding pending event. The near-RT RIC uses assert() to enforce the existence of a pending event during response processing. A remote unauthenticated attacker can send a forged RIC_SUBSCRIPTION_RESPONSE to the near-RT RIC (port 36421) to cause SIGABRT in Debug builds or NULL pointer dereference (SIGSEGV) in Release builds.
AnalysisAI
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the near-RT RIC by sending a forged RIC_SUBSCRIPTION_RESPONSE message to TCP port 36421 with an unknown ric_id that has no corresponding pending event. The vulnerability stems from an assert() check in the response handler that causes SIGABRT in Debug builds or a NULL pointer dereference (SIGSEGV) in Release builds. No public exploit identified at time of analysis, though the trivially low complexity and unauthenticated network reach make weaponization straightforward.
Technical ContextAI
FlexRIC is an open-source O-RAN compliant near-Real-Time RAN Intelligent Controller maintained by EURECOM's Mosaic5G project, used in 5G research and testbed deployments to manage radio access network functions via the E2 interface. The vulnerable code path handles RIC_SUBSCRIPTION_RESPONSE messages - part of the E2AP (E2 Application Protocol) on standard port 36421 - and uses assert() to enforce the invariant that an incoming response must correspond to a pending subscription event tracked by ric_id. This pattern maps to CWE-617 (Reachable Assertion), where attacker-controlled input reaches an assertion that should have been validated input rather than a programming invariant; in Release builds with assertions compiled out, the same logic dereferences the NULL pending-event pointer instead.
RemediationAI
No vendor-released patch identified at time of analysis; the referenced third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37221.md should be monitored and the EURECOM repository at https://gitlab.eurecom.fr/mosaic5g/flexric watched for an upstream fix that replaces the assert() with a proper validation-and-return on unknown ric_id values. Until a fix lands, restrict TCP/36421 (E2AP) reachability to the explicit set of E2 nodes via host firewall or network ACLs - the trade-off is that any legitimate E2 node added to the deployment must be allow-listed manually. As secondary controls, deploy FlexRIC behind an IPsec or TLS-wrapped transport if supported in your topology, and enable process supervision (systemd Restart=, container restart policy) to limit outage duration after a crash, accepting that an attacker can still loop the crash and cause sustained unavailability.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33660
GHSA-46rx-wmhr-cj2m