By weakness (CWE)

CWE-617: related vulnerabilities

CVEs classified under CWE-617. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

12 published vulnerabilities

  • CVE-2026-46117HIGH 7.8

    A flaw in the Linux kernel's RDMA/mana driver allows unprivileged local users to trigger a kernel warning and corrupt memory by creating queue pairs (QPs) that share the same completion queue (CQ) through the user-space API. The vulnerability bypasses validation logic that should reject this invalid configuration, leading to kernel memory corruption. The fix enforces proper validation to reject such requests at creation time rather than allowing them to proceed and corrupt state.

  • CVE-2026-37220HIGH 7.5

    FlexRIC v2.0.0 can be crashed by an attacker who connects to its E2 interface (port 36421) and immediately disconnects without sending any control messages. The near-RT RIC software assumes that every SCTP connection is paired with an E2 node setup, but this assumption breaks when a connection closes before that setup happens. An attacker anywhere on the network can trigger this crash repeatedly, causing service disruption.

  • CVE-2026-37221HIGH 7.5

    FlexRIC v2.0.0 contains a denial-of-service vulnerability where the near-RT RIC (Real-time Intelligent Controller) crashes when it receives a malformed RIC subscription response message. An attacker on the network can send a specially crafted response with an unknown subscription ID to port 36421, causing the service to crash. The crash occurs because the code uses assert() statements to validate internal state—a mechanism that terminates the program rather than handling errors gracefully. No authentication is required to exploit this issue.

  • CVE-2026-37222HIGH 7.5

    FlexRIC v2.0.0 contains a flaw that allows an unauthenticated attacker to crash the RAN Intelligent Controller (RIC) by sending specially crafted network messages. The vulnerability stems from overly strict validation logic that expects an exact count of data fields in E2AP protocol messages. When a message arrives with a different (but still valid per the protocol specification) number of fields, the application crashes rather than handling the variation gracefully. An attacker on the network can trigger this denial-of-service condition without any credentials or prior access.

  • CVE-2026-37223HIGH 7.5

    FlexRIC v2.0.0 has a flaw in how it handles incoming E2AP messages from radio access network controllers. The software uses an assertion check that crashes the entire process if it receives a message type it doesn't recognize. Because the iApp component and the near-RT RIC service run in the same process, crashing iApp takes down the entire RIC service, severing all connections to E2 Nodes and xApps. An attacker on the network can exploit this without authentication by sending a valid but unlisted E2AP message, causing immediate denial of service.

  • CVE-2026-37224HIGH 7.5

    FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp registry component. When the application receives two E2_SETUP_REQUEST messages claiming to be from the same E2 Node (either legitimately duplicate or spoofed), the registry crashes instead of rejecting the duplicate. An attacker on the network can exploit this by sending crafted setup requests to port 36421, causing the iApp process to terminate. No authentication or special privileges are required.

  • CVE-2026-37225HIGH 7.5

    FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp process that can be triggered remotely without authentication. An attacker can send a specially crafted subscription request with an incomplete field definition over the network, causing the application to crash immediately. The vulnerability stems from a mismatch between two internal validation layers: the network decoder accepts the malformed request as valid, but a downstream encoder enforces stricter rules and crashes the process rather than rejecting the input gracefully.

  • CVE-2026-37227HIGH 7.5

    FlexRIC v2.0.0 has a flaw that allows anyone on the network to crash the near-RT RIC (Radio Access Network Intelligent Controller) by sending it a specially crafted message. The vulnerability exists because the software accepts certain message types during initial validation but then hits an unconditional assertion when actually processing them, causing an immediate crash. No authentication is required—an attacker simply needs network access to port 36421 where the RIC listens.

  • CVE-2026-37228HIGH 7.5

    FlexRIC v2.0.0 has a flaw in how it handles incoming network messages that allows a remote attacker to crash critical RAN Intelligent Controller processes without needing credentials or a valid connection. An attacker simply sends a message larger than the system's receive buffer, triggering a fatal error. This affects the near-RT RIC, iApp, E2 Agent, and xApp components on standard E2AP ports, making it a availability risk for 5G infrastructure operators.

  • CVE-2026-37229HIGH 7.5

    FlexRIC v2.0.0, an open RAN intelligent controller, crashes when it receives malformed network data over SCTP. An attacker on the network can send a simple invalid byte sequence to either the near-RT RIC or iApp service (listening on ports 36421 and 36422) and cause an immediate denial of service. The vulnerability exists in the ASN.1 message decoding layer and triggers before the system performs any security checks, making it trivial to exploit.

  • CVE-2026-37233HIGH 7.5

    FlexRIC v2.0.0 has a critical flaw in how it isolates multiple xApps (RAN applications) running on the same RIC (RAN Intelligent Controller). A malicious xApp can trick the system into thinking it owns another xApp's subscriptions and delete them, disrupting service for legitimate applications. The root cause is a simple but devastating coding error: the isolation check compares an xApp's ID to itself instead of comparing it to the requesting xApp's ID, rendering the multi-tenant protection completely ineffective.

  • CVE-2026-10300LOW 3.7

    SGLang version 0.5.10.post1 contains a vulnerability in its inference HTTP endpoint that can be triggered by manipulating the lora_path argument. When an attacker provides a specially crafted lora_path value, the system reaches an assertion condition that causes the service to become unavailable. This is a remote vulnerability requiring network access, though the attack is complex to execute and not trivial to exploit in practice.