CVE-2026-37228: FlexRIC v2.0.0 Remote Denial-of-Service via SCTP Buffer Overflow
FlexRIC v2.0.0 has a flaw in how it handles incoming network messages that allows a remote attacker to crash critical RAN Intelligent Controller processes without needing credentials or a valid connection. An attacker simply sends a message larger than the system's receive buffer, triggering a fatal error. This affects the near-RT RIC, iApp, E2 Agent, and xApp components on standard E2AP ports, making it a availability risk for 5G infrastructure operators.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-617
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the e2ap_recv_sctp_msg() function in src/lib/ep/e2ap_ep.c. The code allocates a fixed 32KB buffer for SCTP message reception and enforces assert(rc < len) on the sctp_recvmsg() return value. When an SCTP message with payload ≥32,768 bytes is received, the assertion fires, causing SIGABRT and process termination. In Release builds (NDEBUG), the assertion is stripped, exposing a signed-to-unsigned integer overflow and potential out-of-bounds read. The vulnerability affects all four SCTP endpoint types listening on ports 36421 and 36422, requiring no prior authentication or valid E2AP PDU.
Business impact
Availability of near-RT RIC infrastructure is directly impacted. An attacker can remotely crash E2 endpoints, disrupting RAN control loops, xApp execution, and E2 Agent connectivity. This can lead to temporary loss of intelligent RAN management, cascading effects on network optimization, and operational disruption for 5G operators relying on FlexRIC for E2 orchestration.
Affected systems
FlexRIC v2.0.0 and all SCTP endpoint types (near-RT RIC, iApp, E2 Agent, xApp) listening on ports 36421 and 36422 are vulnerable. The flaw is present in both Debug and Release builds, though with different manifestations. Any deployment running this version with E2AP endpoints exposed to untrusted networks is at risk.
Exploitability
Exploitability is high. The attack requires only network-level access to the SCTP ports and no authentication, valid credentials, or crafted E2AP signaling. A single oversized SCTP message is sufficient to trigger the crash. The attack is trivial to execute and does not require sophisticated tools or knowledge of the E2AP protocol.
Remediation
Update FlexRIC to a patched version that increases the receive buffer size or implements proper bounds checking without relying on assertions. Verify the patch against the vendor advisory to confirm the fix. Interim mitigations include network segmentation to restrict SCTP port access to trusted E2 nodes and implementing rate limiting or size restrictions on SCTP message reception.
Patch guidance
Consult the Mosaic5G FlexRIC release notes and security advisories for a patched version. Apply patches to all systems running FlexRIC v2.0.0, prioritizing production near-RT RIC and E2 Agent instances. Test the patch in a staging environment to verify no impact on legitimate E2AP message handling. Monitor vendor channels for updates, as this is a critical availability issue affecting 5G infrastructure stability.
Detection guidance
Monitor SCTP traffic on ports 36421 and 36422 for abnormally large message payloads (≥32KB). Set up logging and alerting for unexpected process crashes or SIGABRT signals in FlexRIC processes. Use syslog or process monitoring to detect near-RT RIC, iApp, E2 Agent, or xApp termination events. Correlate timing of crashes with SCTP message reception logs to confirm exploitation attempts.
Why prioritize this
While CVSS score is 7.5 (HIGH), the actual operational risk is elevated for 5G operators: the attack is unauthenticated, requires no payload crafting, and directly impacts availability of critical RAN control infrastructure. Even though confidentiality and integrity are not affected, loss of RIC availability cascades to xApp execution, E2 orchestration, and network intelligence. Patch urgently, especially for production deployments.
Risk score, explained
CVSS 3.1 score of 7.5 reflects high severity: Network-adjacent attack vector, low complexity, no privileges required, no user interaction, and a high impact to availability. The score does not change under Release builds because the overflow still results in undefined behavior and potential crash. The lack of integrity/confidentiality impact prevents a higher score, but the operational criticality of RIC availability elevates real-world risk for operators.
Frequently asked questions
Can an attacker crash the RIC without a valid E2AP connection?
Yes. The assertion check happens before E2AP PDU parsing, so no valid connection or protocol message is needed. A single raw SCTP message over 32KB triggers the crash.
Does this affect only one SCTP port or multiple endpoints?
All four SCTP endpoint types (near-RT RIC, iApp, E2 Agent, xApp) on both ports 36421 and 36422 are affected by the same vulnerable code path.
What is the difference between Debug and Release build behavior?
In Debug builds, the assertion fires and terminates the process with SIGABRT. In Release builds (NDEBUG), the assertion is stripped, leading to a signed-to-unsigned integer overflow and potential out-of-bounds memory read, which may cause a crash or undefined behavior.
Is network segmentation a sufficient workaround while patching?
Network segmentation limiting SCTP port access to trusted E2 nodes reduces exposure, but is not a complete mitigation. The underlying code flaw remains; patches should be applied as soon as available.
This analysis is based on the CVE description and public vendor information as of the publication date. Specific patch version numbers, detailed mitigation configuration, and vendor timelines should be verified directly with Mosaic5G. Organizations should test patches in controlled environments before production deployment. This content is for informational purposes; security decisions should be informed by your organization's risk profile and operational requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-37229HIGHFlexRIC v2.0.0 Remote Denial of Service via Malformed SCTP
- CVE-2026-37233HIGHFlexRIC xApp Isolation Bypass Allows Arbitrary Subscription Deletion
- CVE-2026-37220HIGHFlexRIC v2.0.0 Denial of Service via SCTP Assertion Failure
- CVE-2026-37221HIGHFlexRIC v2.0.0 Unauthenticated Denial-of-Service via RIC Message Crash
- CVE-2026-37222HIGHFlexRIC E2AP Denial-of-Service Vulnerability – Analysis & Remediation
- CVE-2026-37223HIGHFlexRIC E2AP Dispatcher Assertion DoS – High-Severity O-RAN Vulnerability
- CVE-2026-37224HIGHFlexRIC v2.0.0 Denial of Service Vulnerability (CVE-2026-37224) — E2_SETUP_REQUEST Crash
- CVE-2026-37225HIGHFlexRIC v2.0.0 Remote Denial of Service