PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37222 Eurecom CVE debrief

FlexRIC v2.0.0 contains a denial-of-service vulnerability in its E2AP message decoding logic. The near-RT RIC (port 36421) and iApp (port 36422) services use hardcoded assertions to validate Information Element (IE) counts in decoded E2AP messages rather than performing range-based validation against protocol specifications. A remote unauthenticated attacker can send a valid E2AP Protocol Data Unit (PDU) containing an unexpected number of IEs—such as an E2setupRequest with additional optional fields—to trigger a SIGABRT and crash the service. The vulnerability stems from CWE-617 (Reachable Assertion), where exact IE count matching is enforced through assertions that terminate the process when violated.

Vendor
Eurecom
Product
FlexRIC
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Telecommunications operators deploying O-RAN architectures with FlexRIC-based near-RT RIC implementations; security teams responsible for protecting RAN intelligent controller infrastructure; E2 node vendors integrating with FlexRIC; network architects designing O-RAN security boundaries

Technical summary

The vulnerability exists in the E2AP message decoder of FlexRIC v2.0.0, where IE counts in decoded messages are validated using hardcoded assertions rather than protocol-compliant range checks. When an E2AP PDU contains a valid but unexpected number of IEs—including additional optional fields within permitted protocol ranges—the assertion fails and raises SIGABRT, terminating the near-RT RIC or iApp process. This represents a reachable assertion condition (CWE-617) that is exploitable by any network-accessible attacker without authentication. The affected services listen on standard E2 interface ports: 36421 (near-RT RIC) and 36422 (iApp). The root cause is a defensive coding deficiency where exact-count assertions substitute for proper protocol validation, converting what should be a handled protocol deviation into a fatal error.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to a patched version of FlexRIC when available that replaces assertion-based IE count validation with proper range checking against E2AP protocol specifications
  • Implement network segmentation to restrict access to near-RT RIC port 36421 and iApp port 36422 to authorized E2 nodes and management systems only
  • Deploy intrusion detection or monitoring for anomalous E2AP traffic patterns, particularly E2setupRequest messages with non-standard IE counts
  • Review and replace assertion-based validation patterns in custom E2AP implementations with defensive error handling that returns protocol errors rather than terminating processes
  • Validate that any E2AP decoder implementations enforce protocol-specified IE cardinality ranges (min/max occurrences) rather than exact count matching

Evidence notes

The CVE description explicitly states FlexRIC v2.0.0 uses hardcoded assertions for IE count validation in E2AP message decoding. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network attack vector with low complexity, no privileges required, and high availability impact. The vulnerability is classified under CWE-617 (Reachable Assertion). Vendor attribution to Eurecom is indicated through the source reference to gitlab.eurecom.fr/mosaic5g/flexric, though the vendor field carries low confidence and needs review. The NVD vulnerability status is listed as 'Deferred'.

Official resources

2026-06-01T17:16:58.527Z