HIGH 7.5

CVE-2026-37221: FlexRIC v2.0.0 Unauthenticated Denial-of-Service via RIC Message Crash

FlexRIC v2.0.0 contains a denial-of-service vulnerability where the near-RT RIC (Real-time Intelligent Controller) crashes when it receives a malformed RIC subscription response message. An attacker on the network can send a specially crafted response with an unknown subscription ID to port 36421, causing the service to crash. The crash occurs because the code uses assert() statements to validate internal state—a mechanism that terminates the program rather than handling errors gracefully. No authentication is required to exploit this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-617
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

FlexRIC v2.0.0 crashes when receiving a RIC_SUBSCRIPTION_RESPONSE with an unknown ric_id that has no corresponding pending event. The near-RT RIC uses assert() to enforce the existence of a pending event during response processing. A remote unauthenticated attacker can send a forged RIC_SUBSCRIPTION_RESPONSE to the near-RT RIC (port 36421) to cause SIGABRT in Debug builds or NULL pointer dereference (SIGSEGV) in Release builds.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-37221 stems from improper error handling in FlexRIC's RIC_SUBSCRIPTION_RESPONSE message processor. The near-RT RIC expects every response message to correspond to a pending subscription event tracked in local state. When a response arrives with an unknown ric_id, the code invokes assert() to enforce the invariant that a matching pending event must exist. In Debug builds, this assertion failure raises SIGABRT. In Release builds where assertions are often disabled, the subsequent code attempts to dereference a NULL pointer, resulting in SIGSEGV. The vulnerability is classified as CWE-617 (Assertion Failure) and can be triggered by any remote actor with network access to port 36421.

Business impact

This vulnerability enables attackers to remotely disable near-RT RIC services without authentication, disrupting RAN (Radio Access Network) orchestration and automation. In environments where near-RT RIC is a critical component of network management, repeated crashes or sustained crashes could degrade service availability, impact call setup delays, or prevent real-time optimization of network resources. Recovery requires manual restart and may cause transient loss of dynamic RAN adjustments. Organizations relying on FlexRIC for near-real-time network control should prioritize mitigation.

Affected systems

FlexRIC v2.0.0 is affected. The vulnerability resides in the near-RT RIC listener on port 36421, which processes inbound RIC_SUBSCRIPTION_RESPONSE messages. Any deployment of FlexRIC v2.0.0 that exposes this port to untrusted networks is susceptible. The vendor has not provided information on whether earlier or later versions are affected; verify against the official vendor advisory.

Exploitability

Exploitability is high. The attack requires only network reachability to port 36421 and no authentication credentials. Crafting a malformed RIC_SUBSCRIPTION_RESPONSE message is straightforward for an attacker with knowledge of the RIC protocol format. The vulnerability is trivial to trigger repeatedly, making it suitable for DoS attacks. No user interaction is needed. However, active exploitation in the wild has not been confirmed (KEV status is not active).

Remediation

Upgrade FlexRIC to a patched version once the vendor releases one. In the interim, implement network-level controls: restrict access to port 36421 using firewall rules, allow only trusted RIC controllers to communicate with the near-RT RIC, and monitor for unexpected RIC_SUBSCRIPTION_RESPONSE messages from unknown sources. Consider isolating near-RT RIC services to a protected management network and implement rate limiting on subscription response handling. Consult the vendor advisory for the specific patched version and validation steps.

Patch guidance

Monitor the vendor's advisory channels for a security patch. Apply the patch during a maintenance window after validating it in a test environment. The patch should replace the assert()-based validation with proper error handling that returns an error code or discards the malformed message without crashing the process. Before patching production systems, verify that the patched version does not introduce regressions in subscription handling or performance. Rollback procedures should be documented.

Detection guidance

Monitor near-RT RIC process logs for unexpected SIGABRT or SIGSEGV signals on port 36421. Implement alerts for rapid service restarts or repeated crashes of the FlexRIC process. Network-level detection: capture and inspect RIC_SUBSCRIPTION_RESPONSE packets for responses with ric_ids that do not correspond to known pending subscriptions. Correlate RIC message logs with system crash logs to identify attack patterns. Set up anomaly detection for port 36421 traffic originating from unexpected IP ranges.

Why prioritize this

This vulnerability merits urgent attention due to its high CVSS score (7.5), unauthenticated attack vector, low complexity, and direct impact on service availability. While not yet actively exploited in the wild (KEV status is inactive), the ease of exploitation and the criticality of near-RT RIC in modern RAN architectures make it a priority for patching. Organizations should treat this as a high-priority item for network segment access control and patch deployment planning.

Risk score, explained

The CVSS v3.1 score of 7.5 (HIGH) reflects an unauthenticated, low-complexity, network-based denial-of-service attack with no user interaction required. The attack vector is Network (AV:N), access complexity is Low (AC:L), privileges are None (PR:N), and user interaction is None (UI:N). The scope is Unchanged (S:U), and availability impact is High (A:H). Confidentiality and integrity are unaffected. The score appropriately captures the severity of a remotely triggerable crash but does not account for exploits already in active use (KEV status suggests this is still emerging).

Frequently asked questions

Is authentication required to trigger this vulnerability?

No. An unauthenticated attacker on the network can send a forged RIC_SUBSCRIPTION_RESPONSE message to port 36421 and cause a crash. This is a critical aspect of the vulnerability's severity.

Which versions of FlexRIC are affected?

Based on the available information, FlexRIC v2.0.0 is confirmed vulnerable. The vendor advisory should be consulted to determine if earlier versions, later versions, or patch releases address this issue.

What is the difference between the crash behavior in Debug and Release builds?

In Debug builds, the assert() fails and raises SIGABRT, terminating the process cleanly. In Release builds, assertions are typically optimized away, so the code proceeds to dereference a NULL pointer, causing SIGSEGV. Both result in a crash and service disruption.

Can this be exploited from outside my network?

Yes, if port 36421 is exposed to untrusted networks or the internet. Firewall rules and network segmentation are essential to restrict access to this port to only authorized RIC controllers.

This analysis is based on the CVE record published as of 2026-06-17 and reflects information available at that time. No patch version information has been confirmed; verify all remediation steps against the official vendor advisory before applying patches. The absence of KEV (CISA Known Exploited Vulnerabilities) status does not guarantee active exploitation is impossible—defensive measures should be implemented immediately regardless. SEC.co provides this analysis for informational purposes and does not warrant its completeness or accuracy for any specific deployment context. Organizations should conduct their own risk assessment tailored to their infrastructure and threat landscape. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).