CVE-2026-37225
FlexRIC iApp Remote Crash via Invalid Subscription Request
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mosaic5g | flexric | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-37225 affects FlexRIC version 2.0.0 and causes the iApp process to crash when it receives an E42_RIC_SUBSCRIPTION_REQUEST containing an empty ricEventTriggerDefinition field.
The root cause is a validation mismatch between two protocol layers: the E42 layer decoder accepts an empty event trigger definition as valid, but the E2AP encoder requires this field to be non-empty. When the encoder encounters the empty field, it triggers an assertion failure that causes the iApp process to terminate with a SIGABRT signal.
This vulnerability can be exploited remotely by an unauthenticated attacker who sends a specially crafted request over SCTP to port 36422, leading to a denial of service by crashing the iApp.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the iApp process in FlexRIC v2.0.0.
An attacker who is remote and unauthenticated can exploit this issue by sending a crafted E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition, causing the iApp to terminate unexpectedly.
The impact is a loss of availability of the affected service, which could disrupt network functions relying on FlexRIC.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for SCTP packets sent to port 36422 that contain E42_RIC_SUBSCRIPTION_REQUEST messages with an empty ricEventTriggerDefinition field.
Since the vulnerability causes the iApp process to crash via SIGABRT when receiving such crafted requests, detection can also involve monitoring the iApp process for unexpected crashes or terminations.
Commands to help detect exploitation attempts could include using packet capture tools like tcpdump or tshark to filter SCTP traffic on port 36422 and analyze the payload for empty ricEventTriggerDefinition fields.
- tcpdump -i <interface> port 36422 and sctp
- tshark -i <interface> -Y "sctp.port == 36422" -V
Additionally, monitoring system logs or process supervisors for SIGABRT signals or iApp crashes can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the iApp process (port 36422) to only trusted xApps and trusted network sources to prevent unauthenticated remote attackers from sending crafted requests.
Another important mitigation is to ensure that the E42 decoder enforces the same non-empty constraint on the ricEventTriggerDefinition field as the E2AP encoder, preventing the acceptance of invalid requests that cause crashes.
Since no upstream fix was available at the time of disclosure, applying network-level filtering and access controls is critical to reduce exposure.