FlexRIC v2.0.0: Ten High-Severity Assertions and Logic Flaws Disclosed
Ten high-severity vulnerabilities were disclosed in FlexRIC v2.0.0 on June 1st, 2026, primarily stemming from improper input validation and assertion failures.
Key findings
- Ten high-severity vulnerabilities disclosed in FlexRIC v2.0.0 on June 1st, 2026.
- Most vulnerabilities stem from assertion failures and improper input validation.
- Exploitable flaws include resource leaks, xApp impersonation, and denial-of-service crashes.
- CVE-2026-37235 allows remote attackers to impersonate xApps due to trust in xapp_id fields.
- CVE-2026-37233 details an authorization bypass in xApp isolation mechanisms.
- Duplicate xApp IDs and E2 Node IDs can lead to process crashes.
On June 1st, 2026, a batch of ten high-severity vulnerabilities affecting FlexRIC version 2.0.0 was disclosed, all within a four-hour window. These issues, ranging in CVSS scores from 7.5 to 8.2, predominantly revolve around improper handling of SCTP connections, E42 messages, and E2AP PDUs, leading to resource leaks, impersonation, and denial-of-service conditions through assertion failures.
A significant portion of these vulnerabilities, including CVE-2026-37231, CVE-2026-37229, CVE-2026-37228, CVE-2026-37227, CVE-2026-37224, CVE-2026-37223, and CVE-2026-37222, are triggered by assertion failures within various message handlers and validation functions. These assertions, intended to catch unexpected states, become exploitable when remote, unauthenticated attackers send malformed or unexpected data. For instance, CVE-2026-37229 and CVE-2026-37223 can be triggered by sending non-PER byte sequences or E2AP PDUs with message types not present in the whitelist, leading to process crashes via SIGABRT. Similarly, CVE-2026-37228 allows for a crash by sending an SCTP message exceeding the allocated 32KB buffer.
Further complicating the security posture, CVE-2026-37231 highlights an issue with xApp ID assignment. The use of a 16-bit counter for xApp IDs, which wraps around after 65,530 requests, can lead to duplicate IDs. When the iApp attempts to register a duplicate ID, it crashes. This could be leveraged by an attacker to disrupt iApp operations. CVE-2026-37224 presents a similar denial-of-service vector, where duplicate E2_SETUP_REQUESTs from the same or spoofed E2 Node cause the iApp process to crash due to an assertion enforcing node ID uniqueness.
Logic flaws also contribute to the vulnerability count. CVE-2026-37234 details a resource leak where only the first registered xApp ID's resources are cleaned up upon disconnect, leaving subsequent IDs and subscriptions as stale entries. This could potentially lead to information disclosure. CVE-2026-37235 allows a remote attacker to impersonate any xApp by trusting the xapp_id field in E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks if the value is within the assigned range, enabling spoofing.
An authorization bypass is described in CVE-2026-37233, where an equality function eq_xapp_ric_gen_id() incorrectly compares an xApp ID against itself instead of another argument, effectively nullifying the xApp identity check within the iApp's isolation mechanism. This could allow a malicious xApp to gain unauthorized access or privileges.
All identified vulnerabilities affect FlexRIC version 2.0.0. While the disclosure did not specify a patch release, users are strongly advised to consult the vendor's official advisories for the latest information on affected versions and available fixes. The concentration of these issues in a single version and their simultaneous disclosure suggest a thorough review of the codebase may have uncovered these flaws, and users should prioritize updating to a patched version once available.
The disclosure of these ten vulnerabilities in close succession underscores the importance of rigorous security testing for telecommunications infrastructure software like FlexRIC. The prevalence of assertion failures points to potential weaknesses in error handling and input validation, which attackers can exploit for denial-of-service or to bypass security controls. Users of FlexRIC should remain vigilant for vendor updates and apply them promptly to mitigate these risks.