HIGH 7.5

CVE-2026-37230: FlexRIC v2.0.0 RIC_INDICATION Denial-of-Service Vulnerability

FlexRIC v2.0.0, an open RAN (O-RAN) near-real-time RIC (intelligent controller), crashes when it receives a RIC_INDICATION message with an invalid ran_func_id—a function identifier that doesn't exist in its internal registry. An unauthenticated attacker on the network can trigger this crash by sending a specially crafted message to port 36421, causing either an assertion failure in debug builds or a segmentation fault in release builds. This is a denial-of-service vulnerability that can disrupt RAN management and orchestration.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from a missing null-pointer guard in FlexRIC's RIC_INDICATION message handler. When the near-RT RIC attempts to look up a ran_func_id in its function registry and the lookup fails, the code returns NULL. In Debug builds, an assert() statement catches this and terminates the process with SIGABRT. In Release builds, the code dereferences the NULL pointer, triggering SIGSEGV. The vulnerability is classified as CWE-476 (Null Pointer Dereference). An unauthenticated, network-adjacent attacker can exploit this by crafting a RIC_INDICATION message with an arbitrary, non-existent ran_func_id value and sending it to the near-RT RIC's listening port (36421).

Business impact

A successful attack disrupts the near-RT RIC's availability, which is critical for real-time RAN control, policy enforcement, and resource optimization in O-RAN deployments. If the RIC crashes, ongoing RAN management functions halt, potentially causing:Service degradation or loss of radio access in affected cells; Cascading failures if the RIC is part of an orchestrated control plane; Difficulty restoring service if automatic restart mechanisms are not in place. For network operators and service providers, this translates to customer impact (dropped calls, data interruption) and operational overhead to recover services.

Affected systems

Mosaic5G FlexRIC v2.0.0 is confirmed affected. Organizations deploying this version of FlexRIC as a near-RT RIC in production or lab O-RAN environments are at risk. The vulnerability requires network access to port 36421 (the RIC's message port); therefore, systems isolated from untrusted networks or behind strict ingress filtering have reduced risk. Verify your FlexRIC version and deployment topology against the vendor's advisory.

Exploitability

Exploitability is straightforward and does not require authentication, specialized knowledge, or user interaction. The attacker needs only network reachability to port 36421 and the ability to craft and transmit a RIC_INDICATION message with an invalid ran_func_id. The CVSS score of 7.5 (HIGH) reflects the high attack vector (network), low complexity, no privilege requirement, and high availability impact. However, the attack is not automated in the wild; successful exploitation depends on the attacker's ability to reach the RIC and understand the RIC_INDICATION message format. In environments where the RIC is protected by network segmentation or firewalls, practical exploitability is lower.

Remediation

Upgrade FlexRIC to a patched version that includes null-pointer validation in the ran_func_id lookup handler. Verify the specific patch version in Mosaic5G's security advisory. Until patching is possible, implement network-level mitigations: restrict access to port 36421 to trusted control plane entities; deploy the near-RT RIC behind a firewall or in a segmented network; monitor RIC process crashes and implement automated restart mechanisms to minimize downtime. Verify the patch against the vendor's advisory before deploying.

Patch guidance

Contact Mosaic5G or consult their security advisory for the recommended patch version. Apply patches during a maintenance window that does not disrupt live O-RAN traffic. Test the patched build in a non-production environment first to confirm that RIC_INDICATION message processing works correctly and that no regressions are introduced. Verify that automatic restart policies are in place in case a crash occurs before the patch can be rolled out.

Detection guidance

Monitor for RIC crashes by tracking process exit codes and SIGABRT/SIGSEGV signals on systems running FlexRIC. Review RIC logs for failed ran_func_id lookups or exception messages prior to crashes. Deploy network-level detection by capturing RIC_INDICATION messages with invalid ran_func_id values using protocol analyzers or O-RAN-aware network sensors; look for messages with ran_func_id values not defined in your registry. Establish baseline availability metrics for the RIC and trigger alerts on unexpected restarts or prolonged downtime. Cross-correlate RIC crashes with incoming network traffic to identify potential attack patterns.

Why prioritize this

This vulnerability should be prioritized because it affects a critical control-plane component (the near-RT RIC) with a HIGH CVSS score (7.5) and high availability impact. It requires no authentication and can be exploited remotely with modest effort. Although it is not yet listed in CISA's KEV catalog (indicating no evidence of active exploitation in the wild as of the publication date), O-RAN deployments are sensitive targets, and the relative simplicity of the exploit makes opportunistic or targeted attacks plausible. Organizations with production O-RAN environments should prioritize patching or deploying compensating controls.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) is driven by: Attack Vector: Network (AV:N) — the RIC is reachable over the network; Attack Complexity: Low (AC:L) — no special conditions needed; Privileges Required: None (PR:N) — unauthenticated access; User Interaction: None (UI:N) — no user involvement; Confidentiality: None (C:N) — no data exfiltration; Integrity: None (I:N) — no data tampering; Availability: High (A:H) — the RIC process crashes, completely unavailable. The score reflects the real-world severity: an unauthenticated attacker can disable a critical network function with one malformed message. Contextual factors (network isolation, rapid restart capabilities) may lower practical risk but do not change the inherent CVSS score.

Frequently asked questions

Does this vulnerability affect FlexRIC versions prior to v2.0.0?

The advisory confirms v2.0.0 as affected. Consult Mosaic5G's security advisory or release notes to determine whether earlier or later versions are also vulnerable. If you are running a different version, verify its status against the vendor's guidance.

What is ran_func_id and why does an invalid value cause a crash?

The ran_func_id is an identifier used in O-RAN to reference RAN Functions (network services) managed by the RIC. The RIC maintains a registry of valid function IDs. When a RIC_INDICATION message carries an invalid ran_func_id, the lookup fails and returns NULL. The code does not check for NULL before dereferencing it, causing a crash. Proper defensive coding (null-pointer checks) would prevent this.

Can this be exploited from outside the O-RAN network?

Yes, if the RIC's port 36421 is accessible from the internet or an untrusted network. In practice, near-RT RICs are typically deployed in operator data centers or private networks. However, misconfigured deployments, cloud-based RICs, or O-RAN test labs may be exposed. Verify your network topology and apply firewall rules to restrict access.

What should I do if I cannot patch immediately?

Implement compensating controls: (1) Restrict network access to port 36421 using firewalls or security groups; (2) Deploy the RIC in a private, segmented network; (3) Enable automated process restart to recover from crashes; (4) Monitor RIC logs and process health continuously; (5) Schedule a maintenance window to apply the patch as soon as possible. Monitor Mosaic5G's channels for patch availability.

This analysis is based on publicly available information as of the publication date. CVSS scores are provided by the National Vulnerability Database (NVD) and represent the base vulnerability; contextual risk may differ based on your deployment. No exploit code is provided. Patch versions, availability dates, and detailed remediation steps must be obtained directly from Mosaic5G's official security advisories. This document does not constitute security advice; conduct your own assessment and testing before applying patches or mitigations. SEC.co makes no warranty regarding the completeness or accuracy of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).