CVE-2026-37235
Memory Corruption in FlexRIC v2.0.0 via xApp ID Spoofing
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-37235 is a vulnerability in FlexRIC v2.0.0 where the system trusts the xapp_id field from E42 message payloads without verifying that it matches the sender's SCTP association.
The validation function only checks if the xapp_id is within an assigned numeric range but does not bind it to the actual sender, allowing a remote unauthenticated attacker to impersonate any xApp by specifying their xapp_id in requests.
This impersonation causes responses to be misrouted to the victim xApp, which can lead to crashes of the victim xApp, the RIC, or the iApp itself due to state inconsistencies in the red-black tree data structure.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can impersonate any xApp by sending crafted requests with a victim's xapp_id, causing responses to be misrouted.
This can lead to crashes of the victim xApp, the near-real-time RIC, or the iApp itself, resulting in denial of service or disruption of normal operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring SCTP traffic to the iApp on port 36422 for E42 messages where the xapp_id field does not match the sender's SCTP association.
Specifically, detection involves identifying requests that claim an xapp_id that is not bound to the SCTP connection from which the request originates.
Commands to assist detection could include using network packet capture tools such as tcpdump or tshark to filter SCTP traffic on port 36422 and analyze the xapp_id values in E42_RIC_SUBSCRIPTION_REQUEST messages.
- tcpdump -i <interface> port 36422 and sctp
- tshark -i <interface> -Y "sctp.port == 36422" -T fields -e e42.xapp_id
After capturing, correlate the xapp_id values with the SCTP association endpoints to detect mismatches indicating potential exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the iApp SCTP port 36422 to only trusted xApps and authorized systems.
Additionally, monitor incoming requests to ensure that the xapp_id in the E42 message payload is bound and verified against the authenticated SCTP association rather than trusting the xapp_id field alone.
If possible, implement network-level controls such as firewall rules to limit SCTP connections to known and trusted sources.
Longer term, update or patch the FlexRIC software to a version that properly validates the xapp_id against the SCTP association.