HIGH 8.6

CVE-2026-37232: OpenAirInterface5G KPM Division-by-Zero DoS Vulnerability

OpenAirInterface5G version 2.4.0 contains a vulnerability in how it calculates radio resource block (PRB) utilization metrics for 5G base stations. An attacker on the network can repeatedly request performance monitoring data via the FlexRIC interface, causing the base station software to crash when certain metric calculations divide by zero. The crash takes down the entire 5G cell, disconnecting all users. This requires no authentication and can be triggered remotely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Weaknesses (CWE)
CWE-369
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-37232 is a division-by-zero flaw in the E2SM-KPM RAN Function's PRB utilization metric calculation within OpenAirInterface5G 2.4.0. The vulnerable functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing the difference between consecutive total_prb_aggregate samples. When a malicious xApp sends high-volume E2_RIC_SUBSCRIPTION_REQUESTs via FlexRIC on port 36422/SCTP, the E2 Agent generates KPM Indication reports at elevated frequency. If two sampling intervals produce identical PRB aggregate values, the divisor becomes zero, causing SIGFPE (floating-point exception signal) and terminating the nr-softmodem process. The missing validation on the divisor is the root cause.

Business impact

This vulnerability poses a direct denial-of-service risk to 5G infrastructure operators. A successful attack results in immediate and complete loss of service for an entire 5G cell site. All user equipment (UEs) connected to that cell lose connectivity until manual intervention restarts the base station software. In production networks, this translates to service outages affecting potentially thousands of subscribers and revenue loss. The unauthenticated nature of the attack and its network-accessible entry point (FlexRIC E2 Agent) mean that threat actors can launch attacks from outside the RAN without credentials, making this particularly concerning for operators with externally exposed E2 interfaces or compromised internal orchestration systems.

Affected systems

OpenAirInterface5G version 2.4.0 is affected, specifically the nr-softmodem component. The vulnerability resides in the E2SM-KPM RAN Function's KPM subscription handling. Systems running this version with the E2 Agent enabled and FlexRIC integration active are at risk. The attack surface depends on network segmentation: if the FlexRIC E2 Agent (port 36422/SCTP) is accessible from untrusted networks or orchestration domains, exposure is higher. Any deployment using OpenAirInterface5G 2.4.0 for production 5G service should be considered potentially vulnerable.

Exploitability

Exploitability is high. No authentication is required to send E2_RIC_SUBSCRIPTION_REQUESTs to the FlexRIC interface, and the attack is straightforward: send a high volume of subscription requests to trigger frequent KPM reports, then wait for a sampling interval where consecutive PRB aggregate values are identical. This condition is not rare in real networks, especially during periods of stable traffic or in test environments. An attacker with network access to port 36422/SCTP can weaponize this vulnerability without specialized tools or timing tricks. The crash is immediate and deterministic once the zero-divisor condition occurs.

Remediation

Apply a patch from the OpenAirInterface5G vendor that adds null-check or zero-divisor validation to the fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() functions before performing the PRB percentage calculation. Verify the specific patch version against the vendor's advisory. As an interim control, restrict network access to the FlexRIC E2 Agent port (36422/SCTP) to trusted orchestration and RAN management systems only. Disable the E2 Agent or KPM subscription feature if not in use. Monitor base station process logs for SIGFPE signals or unexpected nr-softmodem restarts as leading indicators of exploitation.

Patch guidance

Contact OpenAirInterface5G or check their upstream repository for a patched version that addresses the zero-divisor validation in the KPM metric calculation functions. Apply the patch to all nr-softmodem instances running version 2.4.0. Test the patch in a lab environment before deploying to production cells to ensure it does not introduce regressions in KPM reporting accuracy. Verify that the patch correctly handles edge cases where PRB aggregates do not change between sampling intervals.

Detection guidance

Monitor for repeated E2_RIC_SUBSCRIPTION_REQUESTs originating from unexpected sources on port 36422/SCTP. Set alerts for unexpected nr-softmodem process crashes or SIGFPE signal events in base station logs. Check E2 Agent logs for a spike in KPM Indication report generation or subscription request handling errors. Implement rate-limiting on E2_RIC_SUBSCRIPTION_REQUESTs per source address or session. In SIEM/logs, correlate high-frequency E2 subscription requests with nr-softmodem restarts on the same host to identify potential attacks.

Why prioritize this

This vulnerability merits immediate prioritization due to its CVSS 8.6 HIGH severity rating, unauthenticated network exploitability, and direct impact on service availability. Unlike vulnerabilities that require user interaction or authentication, this flaw is remotely triggerable by any attacker with network access to the E2 Agent. For 5G operators, infrastructure availability is critical; even brief outages trigger SLA breaches and customer impact. The simplicity of the exploit (no zero-day tools needed) and the immediate crash outcome make this a prime target for both malicious actors and script-kiddie attacks.

Risk score, explained

CVSS 3.1 score of 8.6 reflects HIGH severity due to: (1) Attack Vector Network—exploitable remotely without physical access; (2) Attack Complexity Low—no special conditions or user interaction required; (3) Privileges Required None—unauthenticated attackers can trigger the flaw; (4) User Interaction None—fully automated; (5) Scope Changed—a single 5G cell crash affects not just the attacker's session but all connected subscribers; (6) Availability Impact High—complete denial of service to the cell. Confidentiality and Integrity are unaffected (score is 0 for both), so the risk is availability-focused but severe in the infrastructure context.

Frequently asked questions

How does an attacker trigger the crash without authentication?

The FlexRIC E2 Agent accepts E2_RIC_SUBSCRIPTION_REQUESTs on an open port (36422/SCTP) without requiring credentials. By sending a flood of these requests, an attacker forces the KPM subsystem to generate reports at high frequency. When two consecutive sampling intervals produce identical PRB aggregate values (a natural condition in stable networks), the metric calculation divides by zero, crashing nr-softmodem.

Does this vulnerability affect all OpenAirInterface5G deployments?

Only version 2.4.0 is confirmed vulnerable. Operators should verify their deployed version and cross-check against the vendor's patched release notes. Deployments not using the E2 Agent or KPM subscription feature have reduced risk, though disabling these features entirely may not be practical for operators relying on RAN telemetry and orchestration.

Can this be mitigated without patching?

Yes, partially. Restrict network access to port 36422/SCTP to only trusted orchestration and RAN management systems. Disable the E2 Agent or KPM subscriptions if not operationally necessary. Implement rate-limiting on subscription requests per source. However, these are not substitutes for patching; they reduce attack surface but do not fix the underlying zero-divisor bug.

What is the impact of a single cell crash in a 5G network?

A single cell crash causes all UEs connected to that cell to lose service instantly. Depending on network density and subscriber distribution, this can affect anywhere from dozens to thousands of users. The crash persists until manual or automated base station recovery restarts nr-softmodem, typically causing a multi-minute outage.

This analysis is based on the CVE-2026-37232 published record and vendor product information as of June 2026. Patch availability and version numbers should be verified directly with OpenAirInterface5G's official advisories and release notes. Security teams should test any remediation measures in a non-production environment before deployment. The vulnerability assessment assumes standard 5G network topology and may vary based on operator-specific configurations, network segmentation, and access controls. No exploit code or weaponization techniques are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).