HIGH 7.5

FlexRIC v2.0.0 Denial of Service Vulnerability (CVE-2026-37224) — E2_SETUP_REQUEST Crash

FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp registry component. When the application receives two E2_SETUP_REQUEST messages claiming to be from the same E2 Node (either legitimately duplicate or spoofed), the registry crashes instead of rejecting the duplicate. An attacker on the network can exploit this by sending crafted setup requests to port 36421, causing the iApp process to terminate. No authentication or special privileges are required.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-617
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

FlexRIC v2.0.0 crashes when receiving a duplicate E2_SETUP_REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2_SETUP_REQUESTs with the same E2 node configuration, triggering SIGABRT.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper input validation in FlexRIC's iApp registry. The registry uses an assert() statement to enforce E2 Node ID uniqueness rather than implementing graceful error handling. When duplicate E2_SETUP_REQUEST messages arrive with identical node identifiers, the assert() condition fails, triggering SIGABRT and crashing the iApp process. The vulnerability is classified as CWE-617 (Assertion Failure in Software), indicating the root cause is assertion-based validation deployed in a security-critical code path without fallback mechanisms. The attack surface is exposed on port 36421 and accessible to any network-adjacent attacker.

Business impact

Availability of the RIC (RAN Intelligent Controller) infrastructure is directly compromised. Repeated exploitation can render the iApp unable to onboard or manage E2 Nodes, disrupting radio access network optimization and monitoring functions. In production O-RAN environments, this creates operational gaps during incident response, network tuning, or emergency scaling scenarios. Recovery requires manual process restart and potential loss of in-flight transactions or state information.

Affected systems

FlexRIC v2.0.0 is affected. The vulnerability manifests on the iApp component listening on port 36421. Deployments in open or semi-open networks where E2 Node traffic can originate from untrusted sources face elevated risk. Air-gapped or strictly access-controlled RIC environments have reduced exposure but should still be patched to maintain security posture.

Exploitability

Exploitability is straightforward and requires no special tooling. An attacker simply crafts two E2_SETUP_REQUEST frames with matching E2 Node identifiers and sends them to the target iApp port. No authentication bypass, complex timing, or prior system compromise is necessary. The CVSS score of 7.5 (HIGH) reflects the low attack complexity, no privileges required, and network accessibility of the vulnerable service. However, the vulnerability does not enable unauthorized data access or control—impact is limited to availability.

Remediation

Upgrade FlexRIC to a patched version that replaces assert()-based validation with graceful error handling. The fix should log duplicate setup requests, reject them with appropriate error responses, and maintain iApp process stability. Verify against the vendor advisory for specific patched version numbers and any interim configuration hardening options. Until patching is complete, restrict network access to port 36421 using firewall rules to allow only trusted E2 Node sources.

Patch guidance

Consult the FlexRIC vendor security advisory for confirmed patched version availability and release dates. Apply patches in a staged rollout beginning with non-production environments to validate compatibility with your O-RAN topology and existing orchestration workflows. After patching, perform functional testing to confirm E2 Node onboarding and iApp stability under normal load.

Detection guidance

Monitor for repeated E2_SETUP_REQUEST messages originating from the same E2 Node identity within short time windows. Log all iApp process crashes and SIGABRT signals on port 36421 for forensic review. Implement alerting on unexpected iApp restarts, particularly if they correlate with suspicious E2 traffic patterns. Network intrusion detection can flag duplicate node setup attempts as potential scanning or attack precursors.

Why prioritize this

Although the CVSS score is HIGH (7.5), this vulnerability poses immediate operational risk to RIC availability in production networks. O-RAN deployments are increasingly critical for 5G infrastructure, and any DoS vector that bypasses authentication warrants rapid patching. The low attack complexity and unauthenticated nature elevate urgency, especially for operators managing multiple RICs or running them in less restricted network segments.

Risk score, explained

CVSS 7.5 reflects a high-availability impact (complete iApp process crash) combined with network accessibility and zero authentication requirements. The vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates an unauthenticated, low-complexity network attack with no user interaction, resulting in complete availability loss within the RIC scope. Confidentiality and integrity are unaffected, preventing a critical rating.

Frequently asked questions

Can an attacker gain code execution or access RIC data via this vulnerability?

No. This vulnerability only enables denial of service by crashing the iApp process. It does not provide code execution, data access, or privilege escalation. Attackers cannot read E2 Node state or RIC configuration.

Does access control on port 36421 completely mitigate the risk?

Network segmentation significantly reduces risk but is not a complete substitute for patching. Insider threats, compromised E2 Nodes within the trusted zone, or misconfigured firewall rules could still enable exploitation. Patching remains essential.

Will patching disrupt active E2 Node sessions?

Patching requires an iApp restart, which will briefly interrupt ongoing management sessions. Plan patching during maintenance windows and coordinate with affected E2 Nodes to minimize disruption.

Is this vulnerability present in FlexRIC versions prior to v2.0.0?

The vulnerability description is specific to v2.0.0. Consult vendor documentation to determine if older versions are also affected or if the issue was introduced in v2.0.0.

This analysis is based on publicly disclosed vulnerability information as of June 2026. Vendor advisories and patch availability may be updated after publication. Organizations should verify patch applicability, test in staging environments, and consult vendor guidance for deployment-specific impacts. No exploit code or weaponized proof-of-concept is provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).