CVE-2026-37229
Analyzed Analyzed - Analysis Complete
FlexRIC Assertion Failure in E2AP PER Decoding

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: MITRE

Description
FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-37229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mosaic5g flexric 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-37229 is a vulnerability in FlexRIC v2.0.0 where a reachable assertion in the e2ap_create_pdu() function causes the process to crash when ASN.1 PER decoding fails.

A remote unauthenticated attacker can send any malformed or non-PER byte sequence, such as a single 0x00 byte, over SCTP to ports 36421 or 36422. This triggers a SIGABRT signal that terminates the near-RT RIC or iApp process.

The root cause is that the ASN.1 decoder helper asserts that decoding must succeed, and this assertion is reachable before any protocol-level validation occurs, making the system vulnerable to denial of service.

Impact Analysis

This vulnerability can be exploited remotely by an unauthenticated attacker to cause a denial of service by crashing the near-RT RIC or iApp process.

The crash occurs due to a SIGABRT signal triggered by a failed assertion in the ASN.1 PER decoding process, which can disrupt service availability.

Since the assertion is reached before any protocol-level validation, any malformed message sent over SCTP to the affected ports can cause the crash.

Detection Guidance

This vulnerability can be detected by monitoring for abnormal crashes of the near-RT RIC or iApp processes, which occur when malformed or non-PER byte sequences are sent over SCTP to ports 36421 or 36422.

To detect potential exploitation attempts on your network, you can capture and analyze SCTP traffic targeting these ports for unusual or malformed packets, such as single 0x00 bytes or other non-PER encoded sequences.

  • Use tcpdump or tshark to capture SCTP traffic on ports 36421 and 36422, for example: tcpdump -i <interface> port 36421 or port 36422 and sctp
  • Analyze captured packets for non-PER byte sequences or unexpected payloads that could trigger the assertion failure.
  • Monitor system logs and process crash reports for SIGABRT signals related to the near-RT RIC or iApp processes.
Mitigation Strategies

Immediate mitigation steps include restricting SCTP access to only trusted peers to prevent unauthenticated attackers from sending malformed packets to the vulnerable ports.

Additionally, handling decode failures more gracefully by rejecting or dropping malformed messages instead of asserting can prevent process crashes.

Since no upstream fix was available at the time of disclosure, network-level controls such as firewall rules to block or limit SCTP traffic to ports 36421 and 36422 from untrusted sources are recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart