HIGH 7.5

CVE-2026-37231: FlexRIC xapp_id Counter Overflow Denial of Service

FlexRIC v2.0.0 contains a counter overflow vulnerability that causes the application identifier (xapp_id) assignment mechanism to generate duplicate IDs after approximately 65,530 registration requests. When a duplicate ID is registered, the iApp component—which listens on port 36422—crashes due to an unhandled collision in its internal data structure. An attacker with network access can systematically trigger this denial-of-service condition by repeatedly initiating E42_SETUP_REQUEST messages to force counter wraparound and subsequent application crashes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-191
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields. After 65,530+ E42_SETUP_REQUESTs, the 16-bit counter wraps around and produces duplicate xapp_ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from a type mismatch in xapp_id handling. FlexRIC uses a uint16_t counter to generate xapp_id values, but stores these identifiers in uint32_t message fields. This design allows the counter to wrap around at 65,536 (2^16), causing xapp_id reuse. The iApp process, which maintains an internal registry of active xApp instances indexed by xapp_id, lacks duplicate-key protection. When a second registration attempt arrives with an xapp_id that matches an existing entry, the data structure fails catastrophically rather than rejecting the duplicate or handling the collision gracefully. This is a classic integer overflow condition (CWE-191) applied to an identifier namespace.

Business impact

Denial of service against the RIC (RAN Intelligent Controller) infrastructure. The iApp crash disrupts xApp (intelligent application) lifecycle management, preventing new applications from registering and potentially blocking the entire network intelligence stack. In production Open RAN deployments, this translates to loss of automated radio access network optimization, reduced visibility into network behavior, and potential cascade failures if dependent services assume continuous iApp availability. Recovery requires manual intervention to restart the iApp process, introducing operational latency.

Affected systems

Mosaic5G FlexRIC v2.0.0 is explicitly vulnerable. Organizations running this version with exposed E42 protocol interfaces should assume compromise potential. The vulnerability requires network-level access to port 36422 (iApp) or the E42 protocol endpoint, so internal deployments have reduced exposure compared to publicly routed RIC infrastructure. Verify whether your deployment runs v2.0.0 specifically and assess your network segmentation around RIC components.

Exploitability

Exploitability is high. No authentication or privilege escalation is required—any attacker with network connectivity to the E42 interface can craft and send E42_SETUP_REQUEST messages. The attack is deterministic and does not depend on timing, race conditions, or user interaction. However, exploitation requires sustained traffic (65,530+ requests) to trigger the counter overflow, making it detectable if monitoring for abnormal registration patterns. The attack is not known to be weaponized in public exploits at this time.

Remediation

Upgrade FlexRIC to a patched version that corrects the xapp_id counter type or implements duplicate-key detection in the iApp registry. Pending vendor patches, implement network-level access controls to restrict E42 protocol traffic to trusted sources and apply rate limiting on E42_SETUP_REQUEST messages to slow counter wraparound and provide time for detection and intervention. Monitor iApp process stability and restart failures as leading indicators of exploitation attempts.

Patch guidance

Contact Mosaic5G or consult the official FlexRIC security advisory for patched version availability and deployment procedures. Patches should address either the fundamental type mismatch (promoting the counter to uint32_t) or adding idempotency and collision handling in the xApp registry. When a patch is released, validate it in a non-production environment before rolling out to production RIC infrastructure. Document the pre-patch and post-patch xapp_id behavior to ensure the fix does not introduce state management side effects.

Detection guidance

Monitor the iApp process (typically listening on port 36422) for unexpected restart events or crashes. Enable debug logging for E42_SETUP_REQUEST message handling to identify rapid, repetitive registration attempts from a single source IP. Network-based detection can flag abnormally high volumes of E42_SETUP_REQUEST traffic over short time windows. Correlate iApp crashes with corresponding E42 traffic spikes to confirm exploitation. Alert on any xapp_id collision or duplicate-key error messages in RIC logs.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (7.5), zero authentication requirement, and direct impact on critical RAN intelligence infrastructure. Although it requires sustained traffic to trigger, the deterministic nature and lack of weaponization complexity make it a strong candidate for rapid exploitation once publicly disclosed. Open RAN deployments are increasingly common in production networks, making FlexRIC availability a legitimate operational concern.

Risk score, explained

CVSS 3.1 score of 7.5 (HIGH) reflects: network-accessible attack vector (AV:N), no special conditions needed (AC:L), no authentication required (PR:N), no user interaction (UI:N), and impact isolated to availability (A:H) with no confidentiality or integrity loss. The score appropriately captures the denial-of-service severity while acknowledging that exploitation requires network access and sustained attack effort. Organizations should treat HIGH severity vulnerabilities as candidates for urgent patching cycles, typically 14–30 days depending on asset criticality.

Frequently asked questions

How many E42_SETUP_REQUEST messages does an attacker need to send to crash the iApp?

Approximately 65,530 requests, since the xapp_id counter is a 16-bit unsigned integer. After wrapping to zero, the next duplicate registration attempt collides with an existing entry and triggers the crash. In a lab environment, this is achievable in seconds or minutes depending on network bandwidth; in practice, detection systems should flag unusual registration rates long before the threshold is reached.

Does this vulnerability affect only network-connected deployments?

The vulnerability requires network access to the E42 protocol endpoint, typically port 36422. If your RIC is deployed on an isolated network segment with strict ingress filtering, the attack surface is reduced. However, if the RIC is accessible from untrusted networks or the Internet, the threat is immediate and requires urgent remediation.

What is the difference between CWE-191 (integer underflow) and this vulnerability?

CWE-191 covers integer overflow, underflow, and wraparound. This specific case is a wraparound in an identifier namespace: a 16-bit counter increments past its maximum value (65,535) and wraps to 0, reusing previous ID values. The underlying weakness is the same—unsafe arithmetic on a bounded integer type—even though the practical consequences manifest as identifier collision rather than memory corruption.

Can I mitigate this without upgrading if my RIC is internal?

Partial mitigation is possible through network segmentation and rate limiting. Restrict E42 protocol access to a whitelist of trusted orchestrators, and implement rate limits on E42_SETUP_REQUEST messages to slow down counter wraparound and enable manual intervention. These measures reduce exploitability but do not eliminate the underlying defect. A vendor patch is the authoritative fix.

This analysis is provided for informational purposes and reflects the state of knowledge as of the published date. No exploit code or detailed attack methodology is included. Organizations should validate all remediation steps against their own environment and consult official vendor advisories before applying patches. SEC.co does not provide legal advice regarding regulatory obligations or liability. Risk scores and severity ratings are based on CVSS methodology and may vary depending on organizational context, asset criticality, and network topology. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).