CVE-2026-37226: FlexRIC iApp Denial-of-Service via Invalid E2 Node Subscription
FlexRIC v2.0.0 contains a denial-of-service vulnerability in its iApp component. When the application receives a subscription request referencing an E2 Node that doesn't exist in the system, it crashes instead of handling the invalid reference gracefully. An attacker on the network can trigger this crash by sending a specially crafted request, causing the iApp process to go offline and disrupting O-RAN operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the iApp process (port 36422) by sending a subscription request with an arbitrary global_e2_node_id.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-37226 is a NULL pointer dereference vulnerability in the FlexRIC iApp's E2 subscription handler (CWE-476). When an E42_RIC_SUBSCRIPTION_REQUEST message references a non-existent global_e2_node_id, the lookup function returns NULL. In Debug builds, this NULL is caught by an assert() statement, generating SIGABRT and terminating the process. In Release builds, the NULL pointer is dereferenced without assertion checks, causing a segmentation fault (SIGSEGV) and immediate crash. The vulnerable code path is reachable remotely without authentication via port 36422.
Business impact
iApp unavailability directly disrupts RIC (Radio Intelligent Controller) operations and E2 node management in an O-RAN deployment. Repeated attacks can cause frequent service interruptions, impacting network optimization, slice management, and real-time control functions. While confidentiality and integrity are not compromised, the availability impact is severe and can cascade into degraded network performance if the iApp is not rapidly restarted and the underlying issue not patched.
Affected systems
Mosaic 5G FlexRIC v2.0.0 and systems running this version are affected. The vulnerability is present in both Debug and Release build variants, though the failure mode differs. Any O-RAN deployment using this version is vulnerable if the iApp process is exposed to untrusted network traffic.
Exploitability
Exploitability is high. The vulnerability requires no authentication, no special privileges, and no user interaction. An attacker needs only network reachability to port 36422 and the ability to craft a valid E42_RIC_SUBSCRIPTION_REQUEST frame with an arbitrary global_e2_node_id value. The attack is deterministic and causes immediate, visible impact. The CVSS score of 7.5 reflects the high attack complexity being low and the unauthenticated, network-adjacent nature of the threat.
Remediation
Apply a patch from Mosaic 5G that adds null-pointer validation and proper error handling to the E2 Node lookup and subscription request flow. Verify the patched version correctly rejects subscription requests with non-existent node IDs and returns an appropriate error response rather than crashing. Until patching is possible, restrict network access to port 36422 to trusted RIC management interfaces and implement rate limiting on subscription requests.
Patch guidance
Contact Mosaic 5G for the patched version of FlexRIC addressing this vulnerability. Patch releases typically include input validation for global_e2_node_id and graceful error handling in the subscription request handler. Verify the patch version in Mosaic 5G's security advisory before deployment. Test the patch in a non-production environment to confirm E2 subscription requests with invalid node IDs are now rejected without crashing the iApp.
Detection guidance
Monitor for repeated crashes of the FlexRIC iApp process on port 36422, particularly if correlated with unexpected network traffic or E2 subscription requests in logs. Watch for segmentation faults or assertion failures in iApp debug output. Implement network-level detection by monitoring for E42_RIC_SUBSCRIPTION_REQUEST frames with global_e2_node_id values that do not correspond to known, registered E2 nodes. Anomalous subscription requests followed by iApp restarts indicate active exploitation attempts.
Why prioritize this
Despite CWE-476 being a common NULL pointer bug, the context elevates its priority. FlexRIC is core RAN control infrastructure; iApp downtime directly affects network availability and slice management. The attack is trivial to execute, unauthenticated, and reproducible. Organizations relying on this version for production O-RAN should patch urgently. Non-production or lab-only deployments can accept slightly longer remediation timelines if network segmentation is in place.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) captures a direct denial-of-service condition on a network-accessible service with no authentication or user interaction required. The attack vector is network-based, complexity is low, and the impact is total unavailability of the iApp process. The score does not reflect data breach or corruption risk because none exists; it purely quantifies the availability loss, which is severe for infrastructure software.
Frequently asked questions
Does this vulnerability allow an attacker to execute code or steal data?
No. This is a denial-of-service vulnerability that crashes the iApp process. It does not permit code execution, privilege escalation, or access to sensitive data. The impact is limited to availability.
Can the crash be triggered from the management network only, or from any network?
The vulnerability is reachable remotely over the network to port 36422. If that port is exposed to untrusted networks (e.g., the internet), anyone with network access can trigger the crash. If port 36422 is segmented to trusted management networks only, the attack surface is reduced but not eliminated.
Do both Debug and Release builds need to be patched?
Yes. Debug builds abort via assert() and Release builds crash via NULL dereference, but both are vulnerable. The underlying issue—missing validation and error handling—exists in both. A single patch addressing input validation will resolve both variants.
What happens when the iApp crashes? Does it automatically restart?
Automatic restart depends on the deployment's process supervision (e.g., systemd, Kubernetes, or custom orchestration). Without automatic restart mechanisms, manual intervention is required. Even with restart, repeated crashes disrupt availability and indicate the need for immediate patching.
This analysis is based on the CVE record and technical description published as of June 2026. Patch availability, version numbers, and vendor-specific guidance should be verified directly from Mosaic 5G's official security advisory. SEC.co makes no warranty regarding the completeness or accuracy of derivative information. Organizations should conduct their own risk assessment and testing before implementing mitigations in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-37230HIGHFlexRIC v2.0.0 RIC_INDICATION Denial-of-Service Vulnerability
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
- CVE-2025-59606HIGHQualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-70099HIGHNULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)
- CVE-2026-46110HIGHLinux stmmac NULL Dereference DoS Vulnerability
- CVE-2026-46114HIGHLinux Kernel RDMA RXE Remote Memory Leak via Malformed ATOMIC_WRITE
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)