CVE-2026-37225 Eurecom CVE debrief

Who should care

Telecommunications operators deploying O-RAN near-RT RIC infrastructure with FlexRIC; security teams monitoring E2 interface availability; network engineers responsible for RAN function stability

Technical summary

FlexRIC v2.0.0 iApp process listens on port 36422 and handles E42_RIC_SUBSCRIPTION_REQUEST messages. The E42 decoder layer does not enforce non-empty ricEventTriggerDefinition, but the E2AP encoder layer asserts this constraint. A remote attacker sending a crafted request with an empty ricEventTriggerDefinition causes an assertion failure (SIGABRT), terminating the iApp process. Attack vector is network-based, requires no authentication, and has low attack complexity. Impact is limited to availability (no confidentiality or integrity effects per CVSS vector).

Defensive priority

high

Recommended defensive actions

• Upgrade to a patched version of FlexRIC when available; no patched version is confirmed at time of disclosure
• Implement network segmentation to restrict access to iApp port 36422 to authorized E2 nodes and management hosts only
• Monitor for unexpected SIGABRT crashes in iApp process logs that may indicate exploitation attempts
• Validate ricEventTriggerDefinition field presence at the E42 ingress layer as a temporary compensating control if source code modifications are feasible
• Review and strengthen cross-layer validation between E42 decoder and E2AP encoder to prevent assertion-triggering state propagation

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is taken from NVD metadata. CWE-617 (Reachable Assertion) is documented in NVD weakness data. Vendor evidence is limited to a reference domain candidate ('Eurecom') with low confidence, flagged for review. The source references include a GitHub security advisory repository and the FlexRIC GitLab repository.

Official resources