PatchSiren cyber security CVE debrief
CVE-2026-37223 Eurecom CVE debrief
FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher that allows remote unauthenticated attackers to terminate the entire near-RT RIC service. The dispatcher validates incoming E2AP messages against a nine-entry whitelist using assert(), and any decodable E2AP PDU with a message type outside this whitelist triggers SIGABRT. Because iApp and the near-RT RIC share a single process, this crash disconnects all E2 Nodes and xApps. The vulnerability was published on 2026-06-01 and carries a HIGH severity CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The weakness is categorized as CWE-617: Reachable Assertion. The vendor attribution points to Eurecom as the reference domain candidate with low confidence, requiring review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Eurecom
- Product
- FlexRIC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Telecommunications operators deploying O-RAN near-RT RIC infrastructure with FlexRIC; security teams responsible for RAN intelligent controller availability; xApp and E2 Node operators dependent on continuous RIC connectivity; vulnerability management programs tracking open-source RAN platform security
Technical summary
The iApp message dispatcher in FlexRIC v2.0.0 uses assert() to enforce a nine-entry whitelist of permitted E2AP message types. When a remote attacker sends any decodable E2AP PDU with a message type not present in this whitelist, the assertion fails and raises SIGABRT. Because the iApp component and near-RT RIC run as a single process, this abort terminates the entire RIC service rather than isolating the failure to the message handler. The result is complete loss of availability: all connected E2 Nodes and xApps are disconnected, and the RIC must be restarted. The attack requires no authentication and can be conducted over the network against E2AP service port 36422. The underlying weakness is CWE-617 (Reachable Assertion), indicating that defensive code paths should use controlled error returns rather than fatal assertions for input validation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a patched version of FlexRIC when available, or apply vendor-supplied mitigation for the iApp message dispatcher
- Replace assert()-based validation with proper error handling that rejects non-whitelisted E2AP message types gracefully without process termination
- Implement network segmentation to restrict access to E2AP port 36422 to authorized E2 Nodes and management infrastructure only
- Monitor for unexpected SIGABRT crashes in near-RT RIC processes and alert on repeated E2AP connection drops from multiple sources
- Review and test E2AP message handling paths to identify additional reachable assertion or abort conditions in the RIC platform
Evidence notes
The CVE description and NVD metadata confirm the reachable assertion in FlexRIC v2.0.0's iApp message dispatcher. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H supports network-based unauthenticated denial of service. Source references include an advisory repository and the FlexRIC GitLab project. Vendor attribution is flagged as low-confidence based on reference domain candidate evidence.
Official resources
2026-06-01T17:16:58.647Z