By vendor
Mosaic5g vulnerabilities
Known CVEs affecting Mosaic5g products, prioritized by severity, with SEC.co remediation and detection guidance.
8 published vulnerabilities
- CVE-2026-37234HIGH 8.2
FlexRIC v2.0.0 contains a resource management flaw in how it handles SCTP (Stream Control Transmission Protocol) connections to the RIC (Radio Interface Controller). An attacker can abuse the E42 setup protocol to register multiple application IDs (xapp_ids) over a single connection. When that connection is closed, only the first registered application's resources are cleaned up; the others remain as orphaned entries in system memory. Over time or through repeated connections, this allows an attacker to accumulate stale subscriptions and exhaust available resources, potentially corrupting the internal state of the intelligent application platform (iApp).
- CVE-2026-37226HIGH 7.5
FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp component. When the application receives a subscription request referencing an E2 Node that doesn't exist in the system, it crashes instead of handling the invalid reference gracefully. An attacker on the network can trigger this crash by sending a specially crafted request, causing the iApp process to go offline and disrupting O-RAN operations.
- CVE-2026-37228HIGH 7.5
FlexRIC v2.0.0 has a flaw in how it handles incoming network messages that allows a remote attacker to crash critical RAN Intelligent Controller processes without needing credentials or a valid connection. An attacker simply sends a message larger than the system's receive buffer, triggering a fatal error. This affects the near-RT RIC, iApp, E2 Agent, and xApp components on standard E2AP ports, making it a availability risk for 5G infrastructure operators.
- CVE-2026-37229HIGH 7.5
FlexRIC v2.0.0, an open RAN intelligent controller, crashes when it receives malformed network data over SCTP. An attacker on the network can send a simple invalid byte sequence to either the near-RT RIC or iApp service (listening on ports 36421 and 36422) and cause an immediate denial of service. The vulnerability exists in the ASN.1 message decoding layer and triggers before the system performs any security checks, making it trivial to exploit.
- CVE-2026-37230HIGH 7.5
FlexRIC v2.0.0, an open RAN (O-RAN) near-real-time RIC (intelligent controller), crashes when it receives a RIC_INDICATION message with an invalid ran_func_id—a function identifier that doesn't exist in its internal registry. An unauthenticated attacker on the network can trigger this crash by sending a specially crafted message to port 36421, causing either an assertion failure in debug builds or a segmentation fault in release builds. This is a denial-of-service vulnerability that can disrupt RAN management and orchestration.
- CVE-2026-37231HIGH 7.5
FlexRIC v2.0.0 contains a counter overflow vulnerability that causes the application identifier (xapp_id) assignment mechanism to generate duplicate IDs after approximately 65,530 registration requests. When a duplicate ID is registered, the iApp component—which listens on port 36422—crashes due to an unhandled collision in its internal data structure. An attacker with network access can systematically trigger this denial-of-service condition by repeatedly initiating E42_SETUP_REQUEST messages to force counter wraparound and subsequent application crashes.
- CVE-2026-37233HIGH 7.5
FlexRIC v2.0.0 has a critical flaw in how it isolates multiple xApps (RAN applications) running on the same RIC (RAN Intelligent Controller). A malicious xApp can trick the system into thinking it owns another xApp's subscriptions and delete them, disrupting service for legitimate applications. The root cause is a simple but devastating coding error: the isolation check compares an xApp's ID to itself instead of comparing it to the requesting xApp's ID, rendering the multi-tenant protection completely ineffective.
- CVE-2026-37235HIGH 7.5
FlexRIC v2.0.0 contains a critical authentication bypass flaw in its E42 message handler. An attacker on the network can forge requests claiming to be any authorized xApp (a RIC application component) without proving their identity. The system validates only that the claimed xApp ID falls within a valid range, but does not verify that the request actually originated from that xApp. By sending a malicious request with a spoofed xApp ID to the iApp service on port 36422, an attacker can trick the RIC into routing responses to a legitimate xApp, corrupting its internal state and potentially crashing it, the RIC itself, or the iApp.