CVE-2026-37225: FlexRIC v2.0.0 Remote Denial of Service
FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp process that can be triggered remotely without authentication. An attacker can send a specially crafted subscription request with an incomplete field definition over the network, causing the application to crash immediately. The vulnerability stems from a mismatch between two internal validation layers: the network decoder accepts the malformed request as valid, but a downstream encoder enforces stricter rules and crashes the process rather than rejecting the input gracefully.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-617
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in FlexRIC v2.0.0's handling of E42_RIC_SUBSCRIPTION_REQUEST messages. When a ricEventTriggerDefinition field is empty, the E42 layer decoder does not reject the message. However, when the E2AP encoder attempts to process the forwarded request, it asserts a non-empty constraint on that field. This assertion failure triggers SIGABRT termination of the iApp process listening on port 36422. The root cause is inadequate input validation and lack of cross-layer constraint enforcement before message propagation. No authentication is required to send packets to this port, making the attack surface fully exposed.
Business impact
Organizations running FlexRIC v2.0.0 face immediate service disruption risk. An attacker can remotely crash the iApp without credentials, interrupting RAN (Radio Access Network) control functions that depend on stable subscription management. Repeated exploitation could lead to sustained unavailability, affecting mobile network operations and customer connectivity. The lack of authentication lowers the barrier to attack, making opportunistic exploitation likely if the vulnerability becomes public.
Affected systems
FlexRIC v2.0.0 is affected. The specific iApp process on port 36422 is vulnerable to remote crash via E42_RIC_SUBSCRIPTION_REQUEST messages with empty ricEventTriggerDefinition fields. Verify your deployment version against vendor advisories to confirm scope.
Exploitability
Exploitability is high. The vulnerability requires network access to port 36422, which is unauthenticated, and a simple payload (a subscription request with an empty trigger definition field). No special privileges, user interaction, or complex preconditions are required. An attacker with basic protocol knowledge can craft the malicious packet. Attack complexity is low and can be automated or weaponized easily once the exploit vector is understood.
Remediation
Upgrade FlexRIC to a patched version that implements proper cross-layer input validation. Verify the specific patched version against vendor advisories. As an interim measure, restrict network access to port 36422 to trusted RIC peers and management subnets using firewall rules. Monitor for unexpected subscription requests or abnormal iApp process crashes.
Patch guidance
Contact your FlexRIC vendor or consult their security advisories for the specific patched version addressing CVE-2026-37225. Apply patches to all FlexRIC v2.0.0 deployments as soon as available. Test patches in a non-production environment before production rollout to ensure compatibility with your RAN topology. Enable automatic security updates if your deployment supports it.
Detection guidance
Monitor iApp process terminations and SIGABRT signals on systems running FlexRIC. Log and alert on any E42_RIC_SUBSCRIPTION_REQUEST messages with empty ricEventTriggerDefinition fields. Implement network-level detection by inspecting E2AP traffic for malformed subscription requests from untrusted sources. Baseline normal process uptime and alert on unexplained restarts of the iApp service on port 36422.
Why prioritize this
CVE-2026-37225 merits immediate attention due to its high CVSS score (7.5), network-accessible attack vector, lack of authentication requirement, and direct impact on service availability. While not currently in the KEV catalog, the simplicity of exploitation and potential for large-scale disruption in RAN environments justify rapid remediation prioritization.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible, unauthenticated attack with low complexity that directly impacts availability. Although confidentiality and integrity are not affected, complete denial of service to a critical network control function is a material business risk. The score does not account for environmental factors such as network segmentation or the criticality of RAN operations in your infrastructure—assess and adjust internal risk ratings accordingly.
Frequently asked questions
Can this vulnerability be exploited from the internet?
Yes, if port 36422 is reachable from the attacker's network. However, most mobile network deployments isolate RIC control traffic behind firewalls. Verify your network architecture and firewall rules to confirm whether external exposure exists.
Is authentication required to trigger the crash?
No. The E42_RIC_SUBSCRIPTION_REQUEST can be sent by any network actor capable of reaching port 36422. This makes the attack surface significantly larger than vulnerabilities requiring credentials.
Does this vulnerability allow data theft or code execution?
No. This is a denial-of-service issue limited to crashing the iApp process. There is no path to remote code execution or data exfiltration from this vulnerability alone.
What should I do if I cannot patch immediately?
Restrict network access to port 36422 using firewall rules to only trusted RIC peers and management systems. Monitor iApp process logs for crashes. Set up automated service restart policies to restore availability quickly if the process terminates.
This analysis is based on the CVE description and CVSS assessment as of the publication date. Vendor advisories, including specific patched versions and mitigation steps, should be consulted for authoritative remediation guidance. No exploit code or proof-of-concept is provided. Organizations should validate patch applicability and test thoroughly in non-production environments before deployment. Risk scores may vary based on your network architecture, segmentation, and operational criticality. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-37220HIGHFlexRIC v2.0.0 Denial of Service via SCTP Assertion Failure
- CVE-2026-37221HIGHFlexRIC v2.0.0 Unauthenticated Denial-of-Service via RIC Message Crash
- CVE-2026-37222HIGHFlexRIC E2AP Denial-of-Service Vulnerability – Analysis & Remediation
- CVE-2026-37223HIGHFlexRIC E2AP Dispatcher Assertion DoS – High-Severity O-RAN Vulnerability
- CVE-2026-37224HIGHFlexRIC v2.0.0 Denial of Service Vulnerability (CVE-2026-37224) — E2_SETUP_REQUEST Crash
- CVE-2026-37227HIGHFlexRIC v2.0.0 Near-RT RIC Denial of Service (CWE-617)
- CVE-2026-37228HIGHFlexRIC v2.0.0 Remote Denial-of-Service via SCTP Buffer Overflow
- CVE-2026-37229HIGHFlexRIC v2.0.0 Remote Denial of Service via Malformed SCTP