HIGH 7.5

CVE-2026-37229: FlexRIC v2.0.0 Remote Denial of Service via Malformed SCTP

FlexRIC v2.0.0, an open RAN intelligent controller, crashes when it receives malformed network data over SCTP. An attacker on the network can send a simple invalid byte sequence to either the near-RT RIC or iApp service (listening on ports 36421 and 36422) and cause an immediate denial of service. The vulnerability exists in the ASN.1 message decoding layer and triggers before the system performs any security checks, making it trivial to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-617
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-37229 is a reachable assertion failure in the e2ap_create_pdu() function within FlexRIC v2.0.0. When ASN.1 PER (Packed Encoding Rules) decoding encounters invalid input, the function triggers a SIGABRT signal, terminating the process. The flaw affects all three E2AP protocol versions (v1.01, v2.03, v3.01) and occurs at the decode stage, before protocol-level validation gates are applied. An unauthenticated remote attacker can trigger this by sending a single invalid byte (such as 0x00) or any non-PER-compliant byte sequence over SCTP to the listening RIC or iApp ports.

Business impact

Organizations deploying FlexRIC v2.0.0 in production open RAN networks face service interruption risk. The near-RT RIC is typically responsible for real-time radio resource management and slice orchestration. An attacker causing repeated crashes can degrade network availability, impair handover performance, and disrupt network slicing operations. In mission-critical or operator environments, this denial of service could translate to customer-facing service degradation or SLA violations.

Affected systems

FlexRIC v2.0.0 is the confirmed vulnerable version. The vulnerability impacts any deployment listening on SCTP port 36421 (near-RT RIC) or 36422 (iApp). All three supported E2AP protocol versions are affected, so even if an organization has negotiated a specific E2AP version with peer nodes, that deployment remains vulnerable. Verify your FlexRIC version and port configuration against your network topology documentation.

Exploitability

This vulnerability is highly exploitable. No authentication, special privileges, or valid protocol sequence is required—a network-adjacent attacker can send a single malformed packet and cause immediate crash. The CVSS score of 7.5 reflects high availability impact and low attack complexity. The absence of CISA KEV listing does not reduce the practical risk; the attack surface is the public-facing SCTP interface, and tooling to send raw SCTP packets is readily available.

Remediation

Update FlexRIC to a patched version released by mosaic5g. Verify the exact patch version number against the vendor advisory, as updates are version-specific. If an immediate patch is unavailable, implement network-level mitigations: restrict SCTP access to ports 36421 and 36422 via firewall rules, limit to trusted peer nodes (e.g., CU-CP, DU, or other RIC instances), and monitor for abnormal SCTP traffic patterns. Consider deploying the service behind a load balancer that can detect and drop malformed SCTP frames.

Patch guidance

Contact mosaic5g directly or check their advisory documentation for the patched version number and release date. Patching should be coordinated with network operations to minimize service disruption. Test the patch in a non-production environment first, particularly if FlexRIC is serving real traffic. Rolling restart procedures should account for state preservation in the E2 agent layer. Verify that all E2AP versions in use are covered by the patch.

Detection guidance

Monitor SCTP traffic on ports 36421 and 36422 for non-PER-compliant packets or packets of unexpected length. Elevated SIGABRT signals or unexpected process restarts of FlexRIC services are a strong signal of exploitation attempts. Configure alerting on process restart rates for RIC and iApp daemons. Network intrusion detection systems should be tuned to flag malformed SCTP packets destined to these ports. Application-level logging from FlexRIC (if available) may reveal assertion failures prior to crash.

Why prioritize this

Prioritize patching based on your network's role and exposure. If FlexRIC v2.0.0 is deployed in a production near-RT RIC, this is a critical availability risk and should be treated as urgent. If the instance is in a lab or non-critical pilot, priority can be moderate but should still be scheduled soon. The low attack complexity and lack of authentication make this a high-confidence threat—do not defer indefinitely.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects: Network-based attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high availability impact (A:H). While confidentiality and integrity are unaffected, denial of service in a real-time network controller is operationally severe. The absence of exploit code in the wild and lack of KEV listing do not lower the intrinsic risk; the vulnerability is trivial to weaponize.

Frequently asked questions

Does this affect open RAN deployments that use competing RIC implementations?

No. This vulnerability is specific to mosaic5g FlexRIC v2.0.0. Other RIC vendors or implementations may have different code paths and are not affected. However, verify your vendor and version number to confirm.

Can this vulnerability be exploited from outside the operator network?

Only if the SCTP ports (36421, 36422) are reachable from the internet or a hostile network. In typical operator deployments, these ports are restricted to internal RAN infrastructure and vendor management networks. Check your network segmentation and firewall rules to determine your actual exposure.

What is the difference between a reachable assertion and other types of crashes?

A reachable assertion is a defensive code check that terminates the process if a condition is not met. In this case, the assertion is triggered before the code validates whether the input is genuinely malicious or just malformed. This makes it predictable and easy to exploit, unlike logic bugs that require specific state or sequences.

If we patch, will we need to reconfigure E2 peers?

Patching should be transparent from a configuration standpoint. E2 peer relationships and protocol version negotiation are handled at runtime. After patching, restart the FlexRIC service and allow E2 setup procedures to complete normally. Verify E2 connectivity through your usual monitoring tools before confirming the upgrade.

This analysis is based on publicly disclosed information as of the CVE publication date. Patch availability and version numbers should be verified directly with mosaic5g advisories. This vulnerability has not been added to CISA KEV at time of publication, but that does not indicate lower risk. Organizations should assess their specific deployment architecture and network exposure to determine true business risk. This information is provided for educational and operational awareness purposes and does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).