CVE-2026-37221 Eurecom CVE debrief

Who should care

Telecommunications operators deploying O-RAN near-RT RIC infrastructure; security teams responsible for RAN edge security; FlexRIC maintainers and downstream integrators

Technical summary

The near-RT RIC in FlexRIC v2.0.0 processes incoming RIC_SUBSCRIPTION_RESPONSE messages by looking up a pending event associated with the ric_id contained in the response. When no pending event exists for the provided ric_id, the code relies on assert() to enforce the invariant. A remote attacker who can send a crafted RIC_SUBSCRIPTION_RESPONSE with an arbitrary or stale ric_id triggers this failure path. In Debug builds, the assert() call raises SIGABRT and terminates the process. In Release builds, where assertions are typically compiled out, the code proceeds with a NULL pointer and dereferences it, causing SIGSEGV. The vulnerability is reachable over the E2 interface on port 36421 without authentication.

Defensive priority

high

Recommended defensive actions

• Restrict network access to near-RT RIC port 36421 to trusted E2 nodes and management hosts only
• Deploy ingress filtering to block unsolicited RIC_SUBSCRIPTION_RESPONSE messages from unauthorized sources
• Apply patches from the FlexRIC project when available; monitor the project repository for security updates
• If running Debug builds in production, transition to Release builds only as a temporary risk reduction measure, with priority on obtaining a proper fix
• Review logs for unexpected SIGABRT or SIGSEGV events on near-RT RIC instances that may indicate exploitation attempts

Evidence notes

CVE published 2026-06-01. Source references include an advisory repository and the FlexRIC project page hosted at Eurecom. Vendor attribution is marked low-confidence and flagged for review based on reference domain candidate evidence pointing to Eurecom.

Official resources