PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37220 Mosaic5G CVE debrief

FlexRIC v2.0.0 contains a denial-of-service vulnerability in its near-RT RIC component. The software crashes when an SCTP association is closed before an E2_SETUP_REQUEST is sent, because the cleanup path assumes a mapping between the SCTP association and an E2 node always exists and enforces this assumption via assert(). A remote unauthenticated attacker can trigger this crash by completing an SCTP handshake to port 36421 and immediately disconnecting without transmitting any E2AP message.

Vendor
Mosaic5G
Product
FlexRIC
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Telecommunications operators deploying O-RAN near-RT RIC infrastructure; security teams responsible for RAN edge security; FlexRIC maintainers and downstream integrators

Technical summary

The near-RT RIC in FlexRIC v2.0.0 uses assert() to enforce an assumed invariant that an SCTP association always has a corresponding E2 node mapping during cleanup. This assumption is violated when a peer completes the SCTP handshake but disconnects before sending E2_SETUP_REQUEST, resulting in a null or uninitialized E2 node pointer. The assert() triggers process termination, causing a denial-of-service condition. The vulnerability is remotely exploitable without authentication and requires no application-layer protocol interaction beyond the transport handshake.

Defensive priority

high

Recommended defensive actions

  • Restrict network access to SCTP port 36421 on near-RT RIC instances to authorized E2 nodes only, using host-based firewalls or network segmentation
  • Monitor for anomalous connection patterns to port 36421, particularly SCTP associations that terminate immediately after handshake completion without subsequent E2AP traffic
  • Apply vendor patches when available that replace the assert() with proper null-check or state validation in the SCTP association cleanup path
  • Consider implementing connection rate limiting or minimum connection duration thresholds on SCTP port 36421 to reduce exposure to rapid connect-disconnect attacks
  • Review logs for near-RT RIC process crashes and unexpected restarts that may indicate exploitation attempts

Evidence notes

The vulnerability description indicates the crash occurs in the SCTP association cleanup path when no E2_SETUP_REQUEST has been processed. The assert() failure suggests insufficient state validation before cleanup operations. The attack requires only network connectivity to the exposed SCTP port (36421) and does not require authentication or any E2AP protocol interaction beyond the initial transport handshake.

Official resources

public