CVE-2026-37226
Analyzed Analyzed - Analysis Complete
FlexRIC iApp Crash via Invalid E2 Node Subscription

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: MITRE

Description
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the iApp process (port 36422) by sending a subscription request with an arbitrary global_e2_node_id.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-37226
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mosaic5g flexric 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-37226 is a vulnerability in FlexRIC v2.0.0 where the iApp component crashes when it receives a subscription request referencing a non-existent E2 Node.

The crash happens because the lookup function returns NULL for the non-existent node, which triggers an assertion failure in debug builds (causing the process to abort) and a null pointer dereference in release builds (causing a segmentation fault).

A remote unauthenticated attacker can exploit this by sending a specially crafted E42_RIC_SUBSCRIPTION_REQUEST with an arbitrary global_e2_node_id to the iApp's SCTP port 36422, causing the iApp process to crash.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition by crashing the iApp process and any co-located RIC services.

Since the attacker does not need to be authenticated and can trigger the crash remotely, it can disrupt the availability of the affected system, potentially impacting network operations relying on FlexRIC.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal terminations of the FlexRIC iApp process, which listens on SCTP port 36422. Specifically, look for SIGABRT or SIGSEGV signals indicating a crash caused by malformed E42_RIC_SUBSCRIPTION_REQUEST messages referencing non-existent E2 nodes.

Network detection can involve capturing and analyzing SCTP traffic on port 36422 to identify suspicious subscription requests with arbitrary or invalid global_e2_node_id values.

Suggested commands include:

  • Use netstat or ss to monitor SCTP connections on port 36422: `ss -t -a | grep 36422`
  • Use tcpdump or tshark to capture SCTP packets on port 36422: `tcpdump -i <interface> port 36422`
  • Check system logs or journalctl for crash reports related to the iApp process.
Mitigation Strategies

Immediate mitigation steps include restricting access to the FlexRIC iApp service on SCTP port 36422 to trusted clients only, preventing unauthenticated remote attackers from sending malicious subscription requests.

Additionally, implement validation of E2 node subscription requests to ensure that only valid and existing global_e2_node_id values are accepted, reducing the risk of triggering the crash.

Since no official fix is available yet, these access control and input validation measures are critical to prevent denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart