HIGH 8.2

CVE-2026-37234: FlexRIC E42 Resource Leak via Multiple xapp_id Binding

FlexRIC v2.0.0 contains a resource management flaw in how it handles SCTP (Stream Control Transmission Protocol) connections to the RIC (Radio Interface Controller). An attacker can abuse the E42 setup protocol to register multiple application IDs (xapp_ids) over a single connection. When that connection is closed, only the first registered application's resources are cleaned up; the others remain as orphaned entries in system memory. Over time or through repeated connections, this allows an attacker to accumulate stale subscriptions and exhaust available resources, potentially corrupting the internal state of the intelligent application platform (iApp).

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs. On disconnect, only the first registered xapp_id's resources are cleaned up; subsequent xapp_ids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak subscription state in the iApp, potentially causing resource exhaustion or state corruption over time.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from incomplete resource cleanup logic in FlexRIC's E42 protocol handler. When a remote client sends multiple E42_SETUP_REQUEST messages across a single SCTP connection, each request successfully binds a new xapp_id. The connection state machine maintains these bindings but fails to enumerate and release all of them during disconnection—only the first xapp_id's associated subscriptions and reservations are freed. Subsequent xapp_ids remain registered in the subscription table, creating a resource leak. Attackers can trigger this repetitively to accumulate stale entries, eventually degrading RIC performance or triggering memory pressure. This is classified as an Unrestricted Resource Consumption vulnerability (CWE-400).

Business impact

In a production 5G RAN architecture, a FlexRIC deployment manages network slicing, traffic steering, and other critical functions through registered applications. Uncontrolled resource leaks directly reduce the number of legitimate xapps that can be hosted and serviced, effectively performing a denial-of-service attack against the RIC. Additionally, corrupted subscription state may cause incorrect network policy enforcement, leading to billing inaccuracies, service degradation for specific slices, or unintended traffic redirection. Organizations deploying FlexRIC for private 5G or as part of a disaggregated RAN architecture face operational risk if patching is delayed.

Affected systems

FlexRIC v2.0.0 is affected. Organizations using this version in production 5G environments, particularly in disaggregated RAN (O-RAN) deployments, should audit their installations immediately. FlexRIC is commonly deployed in private mobile networks, university 5G testbeds, and telecom equipment vendors' RAN stacks. Verify your exact version and deployment context against mosaic5g's official documentation.

Exploitability

The vulnerability has a low barrier to exploitation. An attacker with network access to the RIC's E42 interface (typically protected by the OSN—Operations and Support Network—boundary but potentially exposed in misconfigured or cloud-native deployments) can send crafted SCTP messages without authentication or special privileges. The attack is reliable and does not require user interaction; repeated connections over hours or days accumulate damage. No exploit has been confirmed in the wild, and the vulnerability is not tracked on CISA's Known Exploited Vulnerabilities (KEV) catalog, but the technical simplicity suggests a proof-of-concept is easily reproducible.

Remediation

Upgrade to a patched version of FlexRIC that properly enumerates and releases all xapp_id resources during connection teardown. Consult mosaic5g's advisories and release notes for the recommended version. Simultaneously, network-level mitigations should restrict E42 protocol access to trusted RIC management and test environments; the E42 interface should not be routable from untrusted networks. If immediate patching is not feasible, implement connection rate-limiting and subscription quotas at the RIC boundary to slow resource exhaustion.

Patch guidance

Check mosaic5g's official security advisories and GitHub repositories for patched release versions. The fix involves completing the resource cleanup routine to iterate over all registered xapp_ids for a given SCTP connection context, not just the first one. When applying patches, test in a staging environment to ensure subscription state is correctly maintained during normal xapp lifecycle operations (registration, deregistration, reconnection). Verify that the patch does not introduce latency in E42 message processing.

Detection guidance

Monitor RIC logs and metrics for indicators of resource exhaustion: steady growth in registered xapp_id count without corresponding deregistration events, increasing SCTP connection churn (rapid connect/disconnect cycles), and rising memory or subscription table utilization. Implement alerting on subscription count anomalies and SCTP connection state transitions. Network-based detection can identify repeated E42_SETUP_REQUEST sequences from the same source IP within short time windows. Forensic analysis of RIC state dumps can reveal orphaned xapp_id entries and correlate them with attacker connection logs.

Why prioritize this

This vulnerability merits immediate attention because: (1) it affects a core infrastructure component in disaggregated 5G networks, (2) exploitation requires only network access and no user interaction, (3) the impact is denial-of-service and state corruption rather than data exfiltration, and (4) the fix is vendor-supplied and available. Organizations with production RIC deployments should prioritize patching within 30 days. Those in test or lab environments can take a measured approach but should not delay indefinitely.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects a network-accessible vulnerability with low attack complexity and no privileges required, resulting in high availability impact (xapp resource exhaustion) and low integrity impact (subscription state corruption). The attack surface is the E42 protocol handler, a designed external interface. The absence of confidentiality impact (C:N) prevents a critical rating, but the combination of easy exploitation and infrastructure-level consequences warrants close monitoring.

Frequently asked questions

How does an attacker trigger the resource leak?

By establishing a single SCTP connection to the RIC's E42 interface and sending multiple E42_SETUP_REQUEST messages, each with a different xapp_id value. Each request is processed and the xapp_id is registered. When the attacker closes the connection, only the first xapp_id is cleaned up, leaving the others orphaned in memory.

Is this vulnerability being actively exploited?

Not currently tracked on CISA's Known Exploited Vulnerabilities list. However, the simplicity of the attack and the criticality of RIC infrastructure suggest that awareness is growing. Assume threat actors will develop proof-of-concepts once patches are publicly available.

What versions of FlexRIC are affected?

v2.0.0 is confirmed affected according to the published vulnerability. Consult mosaic5g's security advisories to determine if earlier or later versions are also vulnerable and which version contains the fix.

Can network segmentation mitigate this?

Yes. Restricting E42 protocol access to trusted management networks and preventing untrusted external hosts from reaching the RIC's E42 port will significantly reduce risk. This is a compensating control but does not replace patching.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Patch versions, vendor advisories, and specific remediation steps are subject to change; consult mosaic5g's official security channels for authoritative guidance. SEC.co does not provide liability for decisions made based on this content. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).