HIGH 7.5

CVE-2026-37220: FlexRIC v2.0.0 Denial of Service via SCTP Assertion Failure

FlexRIC v2.0.0 can be crashed by an attacker who connects to its E2 interface (port 36421) and immediately disconnects without sending any control messages. The near-RT RIC software assumes that every SCTP connection is paired with an E2 node setup, but this assumption breaks when a connection closes before that setup happens. An attacker anywhere on the network can trigger this crash repeatedly, causing service disruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-617
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2_SETUP_REQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert(). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by simply completing an SCTP handshake and immediately disconnecting, without sending any E2AP message.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-37220 is a denial-of-service vulnerability in FlexRIC v2.0.0 caused by improper state management in the SCTP connection cleanup path. When an SCTP association terminates before an E2_SETUP_REQUEST message is received, the near-RT RIC attempts to look up an E2 node mapping that was never created. Rather than handling this gracefully, the code enforces the invariant via assert(), which crashes the process when the condition fails. The vulnerability resides in the unsanitized assumption that association lifecycle and E2 node lifecycle are synchronized. An unauthenticated, network-adjacent attacker can repeatedly open and close SCTP connections to port 36421 without sending E2AP payloads, reliably triggering the assert() failure and restarting the RIC service.

Business impact

Successful exploitation causes immediate availability loss of the near-RT RIC, disrupting radio access network coordination and optimization services. In production 5G deployments, RIC unavailability cascades to degraded network performance, service interruptions for subscribers, and potential revenue impact. Recovery requires manual RIC restart, extending downtime. The attack requires no authentication and minimal resources, making it trivial to execute at scale. Frequent exploitation could damage network SLA compliance and customer confidence.

Affected systems

FlexRIC v2.0.0 is affected. The vulnerability targets the E2 interface listener on port 36421 of the near-RT RIC component. Deployments running this specific version with exposed E2 ports are at immediate risk. Verify your FlexRIC version via administrative interfaces or deployment documentation. No other vendor products are currently listed as affected.

Exploitability

This vulnerability has a CVSS 3.1 score of 7.5 (HIGH) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting network accessibility, low complexity, no privilege requirement, and high availability impact. Exploitation is trivial: an attacker needs only basic SCTP client code to complete a handshake and immediately close the connection. No E2AP protocol knowledge is required. The attack is repeatable and deterministic, making it suitable for automated disruption. Current KEV status is non-exploited-in-wild, but the low barrier to entry and high impact create significant risk of future weaponization.

Remediation

Immediately upgrade FlexRIC to a patched version that properly handles SCTP associations closed before E2 node setup completion. The fix should validate the existence of E2 node state before cleanup operations and avoid assertions on untrusted input. Verify the patched version against the vendor advisory. As an interim measure, restrict network access to port 36421 via firewall rules, limiting E2 connections to authorized eNodeB and gNodeB sources. This does not eliminate the vulnerability but significantly raises the attack surface.

Patch guidance

Check the FlexRIC vendor advisory for the specific patched version. Apply updates during a maintenance window with a rollback plan, as RIC service restarts will briefly disrupt RAN optimization. Test the patch in a non-production environment first to confirm functionality. After patching, verify that E2 associations are properly cleaned up and that the assert() on stale state has been replaced with defensive programming. If a vendor advisory has not yet been published, contact your FlexRIC vendor or support channel for guidance on timeline and workarounds.

Detection guidance

Monitor the near-RT RIC process for unexpected crashes and restarts correlated with short-lived SCTP connections on port 36421. Enable SCTP logging and connection state tracking to identify rapid connect-disconnect patterns from a single source or distributed sources. Parse RIC logs for assert() failures in the E2 association cleanup code path. Network anomaly detection should flag repeated connection attempts that close before E2AP message exchange. Correlate timing of E2 interface errors with subscriber-facing RAN performance degradation to confirm operational impact.

Why prioritize this

This vulnerability merits immediate attention due to its high CVSS score (7.5), trivial exploitability, and total availability impact. The attack is unauthenticated, requires no special credentials or protocol knowledge, and can be launched from any network vantage point with E2 port access. In 5G production networks, RIC unavailability has direct customer-facing consequences. Even though the vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog, the ease of weaponization and lack of detection complexity create strong incentive for adversaries or disruptive actors. Patching should begin immediately if a fix is available.

Risk score, explained

The CVSS 3.1 HIGH score of 7.5 accurately reflects the severity: no authentication, low attack complexity, availability impact only (no confidentiality or integrity breach), and network-wide scope. The vulnerability warrants the highest priority tier for patching due to low friction of exploitation, the critical nature of RIC availability, and the operational cascade effects of a downed RIC in live RAN deployments. Organizations without a patch in hand should immediately implement network-level compensating controls.

Frequently asked questions

Can an attacker cause data breach or unauthorized access via this vulnerability?

No. This vulnerability causes only denial of service—the RIC process crashes and restarts. There is no confidentiality or integrity impact. Attackers cannot steal data, modify configuration, or manipulate network state. The only impact is service unavailability.

Does this vulnerability require the attacker to be authenticated or on a specific network segment?

No authentication is required. The vulnerability can be triggered by any attacker with network access to port 36421. In many deployments, the E2 interface is accessible from the eNodeB/gNodeB subnet, which may span multiple network zones. Verify your port 36421 firewall policy to confirm if external or untrusted hosts can reach it.

How can I tell if my FlexRIC installation is vulnerable?

Check your FlexRIC version via vendor documentation or the RIC admin interface. Only v2.0.0 is explicitly confirmed as affected. If you are running v2.0.0 and have not applied a vendor-supplied patch, assume you are vulnerable. Check the FlexRIC vendor advisory for a list of patched versions and any interim guidance.

What happens if someone exploits this repeatedly?

Each exploitation crashes the RIC service, which then restarts (if monitored and auto-restarted by a supervisor process). Repeated attacks cause persistent service interruptions, degraded RAN optimization, and customer-visible performance issues. If the RIC does not auto-restart, manual intervention is required, extending downtime significantly.

This analysis is based on CVE-2026-37220 as published. No exploit code, weaponized proof-of-concept, or vendor-specific patch version numbers are provided herein. Patch version details must be verified against the official FlexRIC vendor advisory. This vulnerability is marked as not currently exploited in the wild according to CISA KEV data, but organizations should prioritize patching due to low attack complexity. Network controls are interim measures and do not substitute for vendor patching. This analysis is provided for informational purposes and should be contextualized within your specific RIC deployment topology and risk posture. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).