PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37224 EURECOM CVE debrief

A remote unauthenticated attacker can crash the FlexRIC iApp process (port 36421) by sending duplicate E2_SETUP_REQUEST messages with the same E2 node configuration. The iApp registry enforces node ID uniqueness using assert() rather than graceful error handling, causing SIGABRT upon receipt of a second E2_SETUP_REQUEST from the same or a spoofed E2 Node. This represents a denial-of-service condition against the RIC (RAN Intelligent Controller) E2 interface in O-RAN deployments.

Vendor
EURECOM
Product
FlexRIC
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Mobile network operators deploying O-RAN architectures with FlexRIC as the RIC platform; security teams responsible for RAN edge infrastructure; O-RAN E2 Node vendors integrating with FlexRIC-based controllers

Technical summary

The FlexRIC iApp component (v2.0.0) uses an assert() statement to enforce uniqueness of E2 Node IDs in its internal registry. When a second E2_SETUP_REQUEST arrives with a node ID already present in the registry—whether from the legitimate node retransmitting or from a spoofed source—the assertion fails and the process aborts with SIGABRT. The E2 interface operates over SCTP port 36421, and the attack requires no authentication. The CVSS 3.1 score of 7.5 (HIGH) reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact with no confidentiality or integrity impact.

Defensive priority

HIGH

Recommended defensive actions

  • Deploy network segmentation to restrict E2 interface access (port 36421/SCTP) to authorized E2 Nodes only; implement allowlisting of legitimate E2 Node IDs at the network or transport layer
  • Monitor for duplicate E2_SETUP_REQUEST messages from identical source identifiers as potential crash attempts
  • Apply vendor patches when available to replace the assert() with graceful error handling and duplicate request rejection
  • Consider SCTP multi-homing and heartbeat validation to reduce spoofing risk on the E2 interface
  • Review O-RAN E2 termination points for crash recovery mechanisms (e.g., process supervision, automatic restart) to minimize service impact

Evidence notes

CVE published 2026-06-01T17:16:58.760Z; modified 2026-06-01T21:16:42.347Z. NVD status: Deferred. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Weakness: CWE-617 (Reachable Assertion). Vendor attribution based on reference domain candidate 'Eurecom' with low confidence; needs review. Source references include a GitHub security advisory and the FlexRIC GitLab repository.

Official resources

2026-06-01