CVE-2026-37225
Deferred Deferred - Pending Action
FlexRIC iApp Remote Crash via Invalid Subscription Request

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: MITRE

Description
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-37225
EUVD
EUVD-2026-33699
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mosaic5g flexric 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-37225 affects FlexRIC version 2.0.0 and causes the iApp process to crash when it receives an E42_RIC_SUBSCRIPTION_REQUEST containing an empty ricEventTriggerDefinition field.

The root cause is a validation mismatch between two protocol layers: the E42 layer decoder accepts an empty event trigger definition as valid, but the E2AP encoder requires this field to be non-empty. When the encoder encounters the empty field, it triggers an assertion failure that causes the iApp process to terminate with a SIGABRT signal.

This vulnerability can be exploited remotely by an unauthenticated attacker who sends a specially crafted request over SCTP to port 36422, leading to a denial of service by crashing the iApp.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the iApp process in FlexRIC v2.0.0.

An attacker who is remote and unauthenticated can exploit this issue by sending a crafted E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition, causing the iApp to terminate unexpectedly.

The impact is a loss of availability of the affected service, which could disrupt network functions relying on FlexRIC.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for SCTP packets sent to port 36422 that contain E42_RIC_SUBSCRIPTION_REQUEST messages with an empty ricEventTriggerDefinition field.

Since the vulnerability causes the iApp process to crash via SIGABRT when receiving such crafted requests, detection can also involve monitoring the iApp process for unexpected crashes or terminations.

Commands to help detect exploitation attempts could include using packet capture tools like tcpdump or tshark to filter SCTP traffic on port 36422 and analyze the payload for empty ricEventTriggerDefinition fields.

  • tcpdump -i <interface> port 36422 and sctp
  • tshark -i <interface> -Y "sctp.port == 36422" -V

Additionally, monitoring system logs or process supervisors for SIGABRT signals or iApp crashes can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the iApp process (port 36422) to only trusted xApps and trusted network sources to prevent unauthenticated remote attackers from sending crafted requests.

Another important mitigation is to ensure that the E42 decoder enforces the same non-empty constraint on the ricEventTriggerDefinition field as the E2AP encoder, preventing the acceptance of invalid requests that cause crashes.

Since no upstream fix was available at the time of disclosure, applying network-level filtering and access controls is critical to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart