CVE-2026-37227: FlexRIC v2.0.0 Near-RT RIC Denial of Service (CWE-617)
FlexRIC v2.0.0 has a flaw that allows anyone on the network to crash the near-RT RIC (Radio Access Network Intelligent Controller) by sending it a specially crafted message. The vulnerability exists because the software accepts certain message types during initial validation but then hits an unconditional assertion when actually processing them, causing an immediate crash. No authentication is required—an attacker simply needs network access to port 36421 where the RIC listens.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-617
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
FlexRIC v2.0.0 contains reachable assert(0) statements in stub message handlers for E2AP protocol data units (PDUs) that are whitelisted during initial validation but unimplemented at the handler level. Specifically, message types such as E2nodeConfigurationUpdate pass the protocol whitelist check but trigger a CWE-617 (Reachable Assertion) condition when the handler attempts to process them. An unauthenticated remote attacker can send a decodable E2AP PDU of an unimplemented-but-whitelisted type to the near-RT RIC process listening on port 36421, causing immediate termination via SIGABRT signal. The root cause is a mismatch between whitelist scope and stub handler implementation.
Business impact
Availability of the near-RT RIC is severely compromised. Since the RIC is a core orchestration component in 5G/6G radio access networks, a crash results in loss of dynamic control over connected base stations and user plane optimization until the service is manually restarted. In production environments, this translates to radio resource allocation failures, degraded QoS, and potential service interruptions across the controlled RAN domain. The ease of exploitation (unauthenticated, network-accessible) means that both external attackers and compromised internal systems can trigger denial of service.
Affected systems
FlexRIC v2.0.0 is affected. The vulnerability is specific to the near-RT RIC component listening on port 36421. Verify with your vendor which deployment versions correspond to v2.0.0 and which prior or later versions may contain similar patterns. Organizations using FlexRIC in production RAN environments should inventory their deployed versions immediately.
Exploitability
Exploitability is high. No authentication is required, the attack vector is network-based, the attack complexity is low (a valid E2AP PDU of an unimplemented type is trivial to craft), and user interaction is not needed. An attacker needs only network reachability to port 36421 and basic knowledge of the E2AP protocol structure. Public E2AP specifications and codec libraries make message construction straightforward. No user action or special privileges are required on the target.
Remediation
Immediately apply a vendor patch that either (1) removes the assert(0) statements and replaces them with graceful error handling, (2) implements the stub handlers for whitelisted message types, or (3) removes unimplemented message types from the whitelist. Verify the exact patch version and deployment method against your vendor's advisory. Until patching is possible, network segmentation and access controls on port 36421 can reduce exposure by limiting which systems can send E2AP traffic to the RIC.
Patch guidance
Contact your FlexRIC vendor for a patched version addressing CWE-617 in the E2AP message handler. Patch testing should confirm that E2nodeConfigurationUpdate and other previously unimplemented message types are either handled gracefully or rejected at the whitelist stage without assertion. Verify patch applicability to your exact FlexRIC version before deployment. Follow your organization's change control process for RIC updates, as crashes during deployment can disrupt RAN operations.
Detection guidance
Monitor for unexpected SIGABRT or process crashes of the FlexRIC near-RT RIC service on port 36421. Implement network telemetry on port 36421 to detect anomalous E2AP traffic patterns, particularly E2nodeConfigurationUpdate messages from unexpected sources. Check RIC application logs for assertion failures or unhandled message type warnings. A spike in RIC restarts without corresponding maintenance activity is a strong indicator of active exploitation. Alert on any remote connection attempts to port 36421 from untrusted network segments.
Why prioritize this
This vulnerability merits immediate prioritization due to its HIGH CVSS 3.1 score (7.5), network accessibility, lack of authentication requirements, and direct impact on RAN availability. Although not currently in CISA's KEV catalog, the ease of exploitation and the critical role of the RIC in 5G operations mean rapid weaponization is plausible. Organizations dependent on FlexRIC should treat this as urgent regardless of KEV status.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible, unauthenticated denial-of-service vector with no complexity barriers. The score appropriately penalizes the lack of confidentiality and integrity impact (both N) but assigns high weight to availability impact (A:H), since the RIC process terminates on each successful message. The base score does not account for compensating controls (network segmentation, port restrictions) that may be in place; actual risk is context-dependent on deployment architecture and threat modeling.
Frequently asked questions
Can an attacker read data or modify configurations before crashing the RIC?
No. This vulnerability causes only denial of service (process crash via SIGABRT). There is no confidentiality or integrity impact. An attacker cannot exfiltrate data or change RAN settings; they can only disrupt availability.
Is this vulnerability actively exploited in the wild?
As of the published date (2026-06-01), the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the ease of exploitation means organizations should assume active discovery and testing by threat actors in RAN environments.
What if we segment port 36421 and restrict E2AP peers?
Network segmentation significantly reduces risk. If port 36421 is only accessible from authorized base stations or RIC peer entities and not from general untrusted networks, the attack surface shrinks considerably. However, this is a compensating control, not a cure; patching is still required for full remediation.
Does this affect FlexRIC v1.x or later versions like v3.0?
The provided data specifies only v2.0.0. Contact your FlexRIC vendor to confirm whether v1.x versions contain similar assertion logic and whether later versions include the fix. Do not assume all versions are equally vulnerable.
This analysis is based on the CVE record and publicly available vulnerability descriptions current as of the analysis date. Patch version numbers, affected product versions, and vendor remediation timelines must be verified against official vendor advisories before implementation. Network and deployment contexts vary; CVSS scores represent base risk under standard conditions and do not account for organizational compensating controls or threat exposure. Organizations should conduct their own risk assessment and prioritization based on their specific RAN architecture and operational dependencies. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-37220HIGHFlexRIC v2.0.0 Denial of Service via SCTP Assertion Failure
- CVE-2026-37221HIGHFlexRIC v2.0.0 Unauthenticated Denial-of-Service via RIC Message Crash
- CVE-2026-37222HIGHFlexRIC E2AP Denial-of-Service Vulnerability – Analysis & Remediation
- CVE-2026-37223HIGHFlexRIC E2AP Dispatcher Assertion DoS – High-Severity O-RAN Vulnerability
- CVE-2026-37224HIGHFlexRIC v2.0.0 Denial of Service Vulnerability (CVE-2026-37224) — E2_SETUP_REQUEST Crash
- CVE-2026-37225HIGHFlexRIC v2.0.0 Remote Denial of Service
- CVE-2026-37228HIGHFlexRIC v2.0.0 Remote Denial-of-Service via SCTP Buffer Overflow
- CVE-2026-37229HIGHFlexRIC v2.0.0 Remote Denial of Service via Malformed SCTP