CVE-2026-37221
Description
FlexRIC v2.0.0 is vulnerable to a remote denial-of-service attack via a forged RIC_SUBSCRIPTION_RESPONSE that triggers an unhandled assertion or NULL pointer dereference.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 is vulnerable to a remote denial-of-service attack via a forged RIC_SUBSCRIPTION_RESPONSE that triggers an unhandled assertion or NULL pointer dereference.
Vulnerability
FlexRIC v2.0.0 through commit 6a595d8b contains a reachable assertion vulnerability in the stop_pending_event() function within src/ric/msg_handler_ric.c [1]. The near-RT RIC fails to validate the existence of a pending event before attempting to process a RIC_SUBSCRIPTION_RESPONSE message. When a message containing an unknown ric_id is received, the application triggers an assert() in the bimap extraction routine, leading to an immediate process termination [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted RIC_SUBSCRIPTION_RESPONSE message to the near-RT RIC over SCTP port 36421 [1]. The attacker must provide a ric_id that does not correspond to any active pending event in the system. No prior authentication or user interaction is required to trigger the crash [1].
Impact
Successful exploitation results in a denial-of-service condition [1]. In debug builds, the process terminates due to SIGABRT caused by the failed assertion, while in release builds, the lack of assertion checks leads to a NULL pointer dereference and a SIGSEGV crash [1]. This effectively disrupts the near-RT RIC service, impacting the availability of the O-RAN infrastructure [1].
Mitigation
No upstream fix is currently available for this vulnerability [1]. Operators are advised to restrict network access to the SCTP port 36421 to trusted E2 nodes only to prevent unauthorized message injection. Future patches should implement proper validation to verify the existence of pending events and gracefully reject unknown or out-of-order responses instead of aborting the process [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the subscription response handler — `stop_pending_event()` is called with an unknown `ric_id` without first checking whether a corresponding pending event exists."
Attack vector
A remote unauthenticated attacker sends a forged `RIC_SUBSCRIPTION_RESPONSE` over SCTP to port 36421 with an arbitrary `ric_id` that does not correspond to any active pending event [ref_id=1]. The near-RT RIC attempts to remove the non-existent pending entry, triggering a reachable assertion (CWE-617) in debug builds or a null pointer dereference in release builds, both resulting in a crash. No authentication or prior interaction is required.
Affected code
The vulnerability resides in `src/ric/msg_handler_ric.c` in the `stop_pending_event()` function (lines 69–85) and the subscription response handling path that calls it. The handler constructs a pending-event key from the received `ric_id` and invokes `stop_pending_event()` without verifying that the event exists, causing an assertion failure or null pointer dereference.
What the fix does
The advisory does not provide a patch; no upstream fix was available at the time of publication [ref_id=1]. The recommended remediation is to verify that the pending event exists before calling `stop_pending_event()` and to reject unknown, replayed, or out-of-order responses without aborting the process.
Preconditions
- networkThe attacker must be able to send SCTP packets to the near-RT RIC on port 36421.
- authNo authentication or prior session state is required.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.