CVE-2026-37233: FlexRIC xApp Isolation Bypass Allows Arbitrary Subscription Deletion
FlexRIC v2.0.0 has a critical flaw in how it isolates multiple xApps (RAN applications) running on the same RIC (RAN Intelligent Controller). A malicious xApp can trick the system into thinking it owns another xApp's subscriptions and delete them, disrupting service for legitimate applications. The root cause is a simple but devastating coding error: the isolation check compares an xApp's ID to itself instead of comparing it to the requesting xApp's ID, rendering the multi-tenant protection completely ineffective.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-617
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the equality function eq_xapp_ric_gen_id() within src/ric/iApp/xapp_ric_id.c. This function is responsible for validating whether an xApp has authorization to perform operations on subscription identifiers (ric_gen_id). Due to a logic error, the function compares m0->xapp_id == m0->xapp_id rather than m0->xapp_id == m1->xapp_id, effectively removing the cross-xApp identity check. When an E42_RIC_SUBSCRIPTION_DELETE_REQUEST arrives at the iApp listening on port 36422, the malicious xApp can specify any target ric_gen_id, and the flawed equality check will always grant permission because the validation is comparing the target subscription's identity to itself. This bypasses the xApp isolation boundary entirely, allowing arbitrary subscription deletion across tenant boundaries.
Business impact
In production deployments with multiple xApps—whether from different vendors, internal teams, or partners—a single compromised or malicious xApp can cause a denial-of-service attack by deleting the subscriptions of other xApps. This undermines the multi-tenancy model that RIC platforms rely on for operational flexibility and cost efficiency. Network slicing, traffic steering, and other autonomous RAN features managed by affected xApps would be interrupted. For service providers relying on third-party or partner xApps, this vulnerability creates an unacceptable security boundary violation and increases the risk surface of running untrusted applications on the same RIC instance.
Affected systems
Mosaic5g FlexRIC v2.0.0 is confirmed affected. Any deployment running multiple xApps on the same RIC instance is vulnerable; single-xApp deployments are unaffected because there are no other subscriptions to delete. The iApp listening on port 36422 must be accessible to xApp connections for the attack to succeed, which is the normal operational configuration.
Exploitability
Exploitability is straightforward. No special privileges, network authentication, or user interaction are required—only the ability to connect an xApp to the iApp on port 36422, which is the standard integration point. The attacker simply needs a malicious xApp already connected to the RIC or the ability to instantiate one. The attack is deterministic: crafting an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a known ric_gen_id from another xApp will reliably delete that subscription. This is not a theoretical vulnerability; the flawed code path is executed on every subscription deletion request.
Remediation
FlexRIC maintainers must fix the equality function in src/ric/iApp/xapp_ric_id.c to correctly compare m0->xapp_id against m1->xapp_id instead of comparing m0->xapp_id to itself. Verify against the vendor advisory for patched version numbers. Operators unable to patch immediately should implement network segmentation to isolate xApps into separate RIC instances or restrict xApp connectivity to trusted sources only, though these are temporary mitigations and do not address the underlying code defect.
Patch guidance
Consult the Mosaic5g FlexRIC project repository and official advisories for the patched version addressing CVE-2026-37233. Apply patches to all FlexRIC v2.0.0 deployments as soon as they become available. Verify the fix by confirming that eq_xapp_ric_gen_id() now correctly performs cross-identity comparison. If operating in an air-gapped or highly regulated environment, request vendor confirmation that patches have been tested and are suitable for your deployment topology before applying.
Detection guidance
Monitor iApp logs on port 36422 for E42_RIC_SUBSCRIPTION_DELETE_REQUEST messages originating from xApp identities that do not own the targeted subscriptions. Baseline the relationship between xApp IDs and their owned subscription IDs, then alert on anomalies. Review xApp connectivity logs to detect unauthorized or unexpected xApp instances joining the RIC. Implement subscription lifecycle auditing to detect unexpected deletions and correlate them with xApp connection events. If forensic analysis is needed, correlation between xApp instantiation timestamps and subscription deletion timestamps can help identify which xApp performed the attack.
Why prioritize this
Despite the CVSS 7.5 score (HIGH), this vulnerability should be treated as critical for any multi-tenant RIC deployment. The attack is trivial to execute, requires no special privileges, and directly violates the isolation guarantees that multi-tenant architectures depend on. Service providers and enterprises using FlexRIC as a foundation for autonomous RAN services face immediate risk to service availability and platform trustworthiness. If the RIC is in the data path or controls critical network functions, a denial-of-service attack on dependent xApps cascades to end-user impact.
Risk score, explained
CVSS 3.1 score of 7.5 reflects network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high availability impact (A:H). The score does not credit integrity impact because the vulnerability does not modify subscriptions—it only deletes them. However, the real-world risk is amplified by the simplicity of exploitation and the architectural trust model it violates. Organizations should supplement the CVSS score with context: in a multi-tenant environment, this is functionally equivalent to a privilege escalation attack that lets any xApp act as a super-admin.
Frequently asked questions
Can an xApp outside the RIC exploit this vulnerability remotely?
No. The attack requires the ability to connect to the iApp on port 36422 as a registered xApp. Typically, this means the xApp must be instantiated or deployed by an administrator with control over the RIC. However, if the RIC is connected to an untrusted network or if xApp onboarding is not strictly controlled, this assumption weakens.
Does the vulnerability allow an xApp to read or modify subscriptions belonging to other xApps, or only delete them?
Based on the vulnerability description, the flawed equality check affects the authorization boundary for all operations using eq_xapp_ric_gen_id(). Deletion is the primary attack vector documented, but operators should verify whether the same function is used for read or update operations and assess whether those are also compromised.
If we run only one xApp on our RIC, are we safe?
Yes, a single-xApp deployment eliminates the multi-tenant scenario and prevents the attack from manifesting. However, this is not a sustainable solution for service providers or environments where xApp scalability and sharing are business requirements. Patching is still recommended to maintain security posture.
How long has this been affecting FlexRIC v2.0.0 in the wild?
The vulnerability was published on 2026-06-01 with earlier modification dates suggesting discovery or internal awareness beforehand. Without vendor disclosure details, the exact timeline of initial impact is not publicly documented. Assume any FlexRIC v2.0.0 deployment has been at risk since the release of that version.
This analysis is provided for educational and defensive security purposes. Exploit code, weaponization guidance, or instructions for unauthorized access are not included. Operators must verify all patch versions and vendor guidance against official Mosaic5g FlexRIC advisories before deploying fixes. SEC.co does not provide real-time threat intelligence on active exploitation; consult your vendor and threat intelligence sources for current threat status. This explainer reflects the vulnerability as documented as of 2026-06-17 and may require updates as additional vendor or researcher information emerges. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-37228HIGHFlexRIC v2.0.0 Remote Denial-of-Service via SCTP Buffer Overflow
- CVE-2026-37229HIGHFlexRIC v2.0.0 Remote Denial of Service via Malformed SCTP
- CVE-2026-37220HIGHFlexRIC v2.0.0 Denial of Service via SCTP Assertion Failure
- CVE-2026-37221HIGHFlexRIC v2.0.0 Unauthenticated Denial-of-Service via RIC Message Crash
- CVE-2026-37222HIGHFlexRIC E2AP Denial-of-Service Vulnerability – Analysis & Remediation
- CVE-2026-37223HIGHFlexRIC E2AP Dispatcher Assertion DoS – High-Severity O-RAN Vulnerability
- CVE-2026-37224HIGHFlexRIC v2.0.0 Denial of Service Vulnerability (CVE-2026-37224) — E2_SETUP_REQUEST Crash
- CVE-2026-37225HIGHFlexRIC v2.0.0 Remote Denial of Service