CVE-2026-37227 EURECOM CVE debrief

Who should care

Operators of O-RAN deployments using FlexRIC v2.0.0 as the near-RT RIC, security teams monitoring E2 plane availability, and network architects designing E2AP exposure boundaries.

Technical summary

The near-RT RIC in FlexRIC v2.0.0 exposes E2AP on port 36421. The implementation contains stub handlers for certain E2AP message types that are whitelisted but not yet implemented. These stubs contain assert(0) calls that are reachable when a decodable PDU of the corresponding type is received. Because the message passes whitelist validation, an unauthenticated remote attacker can trigger the assertion, causing the near-RT RIC process to abort with SIGABRT. The CVSS 3.1 base score is 7.5 (HIGH) with network attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact.

Defensive priority

HIGH

Recommended defensive actions

• Restrict network access to the near-RT RIC E2AP service on port 36421 to trusted E2 nodes and management hosts only.
• Monitor for unexpected SIGABRT crashes of the near-RT RIC process and correlate with E2AP message types that are whitelisted but not fully implemented.
• Apply patches from the FlexRIC project when available, prioritizing updates that replace assert(0) stubs with proper error handling or implementation.
• Review E2AP message whitelists to ensure only fully implemented message types are permitted until stubs are hardened.

Evidence notes

The vulnerability was disclosed on 2026-06-01 and last modified on 2026-06-01T21:16:42.667Z. The NVD entry lists the vulnerability status as Deferred. The issue is tracked as CWE-617 (Reachable Assertion). The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, yielding a base score of 7.5 (HIGH). The vendor attribution is based on a low-confidence reference domain candidate pointing to Eurecom, which hosts the FlexRIC project repository.

Official resources