Can you explain this vulnerability to me?

CVE-2026-37232 is a divide-by-zero vulnerability in OpenAirInterface5G 2.4.0's nr-softmodem component, specifically in the E2SM-KPM RAN function's PRB utilization metric calculation.

The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking if the divisor is zero.

A malicious xApp can exploit this by sending a high volume of E42_RIC_SUBSCRIPTION_REQUEST messages through the FlexRIC iApp on SCTP port 36422, causing the E2 Agent to generate KPM indication reports at a high frequency.

If two consecutive sampling intervals produce identical PRB aggregate values, the divisor becomes zero, leading to an integer division by zero that crashes the nr-softmodem process with a SIGFPE signal.

This crash disrupts the entire 5G base station process, causing complete 5G cell service interruption for all connected user equipments (UEs). No authentication is required to exploit this vulnerability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability causes a denial of service by crashing the 5G base station process, resulting in complete 5G cell service interruption for all connected user equipments (UEs). This availability impact could affect compliance with regulations that require continuous service availability and reliability.

However, there is no direct information provided about the vulnerability causing data breaches, unauthorized access, or exposure of personal data that would specifically impact compliance with data protection regulations such as GDPR or HIPAA.

Therefore, the main compliance concern relates to service availability requirements rather than data confidentiality or privacy.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause a complete crash of the 5G base station process (nr-softmodem) due to an unhandled divide-by-zero error.

As a result, the 5G cell service is interrupted entirely, affecting all connected user equipments (UEs) in the affected cell.

The impact is significant availability loss of 5G network service, potentially leading to denial of service for users relying on that base station.

Since no authentication is required to trigger this, an attacker can remotely exploit this vulnerability by sending a high volume of subscription requests.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual high volumes of E42_RIC_SUBSCRIPTION_REQUEST messages sent via the FlexRIC iApp on SCTP port 36422. Detection involves observing if the E2 Agent is generating KPM Indication reports at a high frequency, which may indicate exploitation attempts.

Network administrators can check for suspicious SCTP traffic on port 36422 using commands such as:

• tcpdump -i <interface> port 36422
• ss -t -a | grep 36422
• sctp_darn -p 36422 (if available)

Additionally, monitoring the nr-softmodem process for crashes or SIGFPE signals can help detect if the vulnerability is being triggered.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the RIC/iApp control path to prevent untrusted or malicious xApps from sending high volumes of subscription requests.

Implement rate-limiting on KPM subscription activity to reduce the frequency of E42_RIC_SUBSCRIPTION_REQUEST messages.

Apply or develop patches that add checks for zero denominators in the PRB utilization metric calculation functions (fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl()) to avoid division by zero errors.

Monitor the nr-softmodem process for stability and consider restarting it if crashes occur.

Useful 0 Not Useful 0