CVE-2026-37235
Analyzed Analyzed - Analysis Complete
Memory Corruption in FlexRIC v2.0.0 via xApp ID Spoofing

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: MITRE

Description
FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-37235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mosaic5g flexric 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-37235 is a vulnerability in FlexRIC v2.0.0 where the system trusts the xapp_id field from E42 message payloads without verifying that it matches the sender's SCTP association.

The validation function only checks if the xapp_id is within an assigned numeric range but does not bind it to the actual sender, allowing a remote unauthenticated attacker to impersonate any xApp by specifying their xapp_id in requests.

This impersonation causes responses to be misrouted to the victim xApp, which can lead to crashes of the victim xApp, the RIC, or the iApp itself due to state inconsistencies in the red-black tree data structure.

Impact Analysis

An attacker exploiting this vulnerability can impersonate any xApp by sending crafted requests with a victim's xapp_id, causing responses to be misrouted.

This can lead to crashes of the victim xApp, the near-real-time RIC, or the iApp itself, resulting in denial of service or disruption of normal operations.

Detection Guidance

This vulnerability can be detected by monitoring SCTP traffic to the iApp on port 36422 for E42 messages where the xapp_id field does not match the sender's SCTP association.

Specifically, detection involves identifying requests that claim an xapp_id that is not bound to the SCTP connection from which the request originates.

Commands to assist detection could include using network packet capture tools such as tcpdump or tshark to filter SCTP traffic on port 36422 and analyze the xapp_id values in E42_RIC_SUBSCRIPTION_REQUEST messages.

  • tcpdump -i <interface> port 36422 and sctp
  • tshark -i <interface> -Y "sctp.port == 36422" -T fields -e e42.xapp_id

After capturing, correlate the xapp_id values with the SCTP association endpoints to detect mismatches indicating potential exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the iApp SCTP port 36422 to only trusted xApps and authorized systems.

Additionally, monitor incoming requests to ensure that the xapp_id in the E42 message payload is bound and verified against the authenticated SCTP association rather than trusting the xapp_id field alone.

If possible, implement network-level controls such as firewall rules to limit SCTP connections to known and trusted sources.

Longer term, update or patch the FlexRIC software to a version that properly validates the xapp_id against the SCTP association.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart