CVE-2026-37220
Description
FlexRIC v2.0.0 is vulnerable to a denial of service via a reachable assertion when an SCTP association is closed before an E2_SETUP_REQUEST is sent.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 is vulnerable to a denial of service via a reachable assertion when an SCTP association is closed before an E2_SETUP_REQUEST is sent.
Vulnerability
FlexRIC v2.0.0 through at least commit 6a595d8b (2025-11-12) contains a reachable assertion vulnerability in the SCTP notification handler located in src/ric/not_handler_ric.c [1]. The near-RT RIC incorrectly assumes that an SCTP association always maps to an existing E2 node during the cleanup process, enforcing this assumption with an assert() statement that triggers if the mapping is missing [1].
Exploitation
An unauthenticated remote attacker can trigger this vulnerability by initiating a connection to the near-RT RIC on SCTP port 36421 [1]. The attacker must complete the SCTP handshake and immediately disconnect the association before sending any E2_SETUP_REQUEST message [1]. This sequence forces the application into the cleanup path where the missing mapping triggers the assertion failure [1].
Impact
Successful exploitation results in the immediate termination of the near-RT RIC process [1]. This causes a denial of service, disrupting all connected E2 nodes and xApps relying on the RIC for operation [1].
Mitigation
No upstream fix was available at the time of publication [1]. Operators are advised to restrict access to SCTP port 36421 to trusted E2 nodes and avoid exposing the port to untrusted networks [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The cleanup path in notification_handle_ric() unconditionally removes the SCTP association from the E2 node mapping, asserting that the mapping exists, even when E2_SETUP_REQUEST was never received."
Attack vector
A remote unauthenticated attacker connects to the near-RT RIC SCTP port 36421, completes the SCTP handshake, and immediately disconnects without sending any E2AP message [ref_id=1]. The shutdown notification handler then attempts to remove the SCTP association from the E2 node mapping, but because no mapping was ever created (no `E2_SETUP_REQUEST` was sent), the removal logic hits an `assert()` and aborts the process [CWE-617].
Affected code
The vulnerability resides in `src/ric/not_handler_ric.c`, function `notification_handle_ric()`, lines 23–30. The cleanup path unconditionally removes the SCTP association from the E2 node mapping without first verifying that `E2_SETUP_REQUEST` was received, leading to a reachable assertion failure.
What the fix does
The advisory states that no upstream fix was available at the time of publication [ref_id=1]. The recommended mitigation is to restrict SCTP access to trusted E2 nodes and avoid exposing port 36421 to untrusted networks. A proper fix would add a guard in `notification_handle_ric()` to check whether the E2 node mapping exists before attempting removal, rather than relying on an assertion.
Preconditions
- configThe near-RT RIC must be running and listening on SCTP port 36421
- authNo authentication is required to initiate an SCTP association
- networkAttacker must be able to reach the SCTP port over the network
- inputAttacker sends a valid SCTP INIT/INIT-ACK handshake then immediately closes the association
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.