CVE-2026-37222
Description
FlexRIC v2.0.0 is vulnerable to a denial-of-service attack via malformed E2AP messages, crashing the near-RT RIC or iApp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 is vulnerable to a denial-of-service attack via malformed E2AP messages, crashing the near-RT RIC or iApp.
Vulnerability
FlexRIC v2.0.0 uses hardcoded assertions to validate Information Element (IE) counts in decoded E2AP messages. The vulnerability lies in src/lib/e2ap/v3_01/dec/e2ap_msg_dec_asn.c within the e2ap_dec_setup_request() function at line 1486, where exact IE counts are asserted rather than validating against protocol-specified ranges. This affects FlexRIC v2.0.0 through at least commit 6a595d8b [1].
Exploitation
A remote, unauthenticated attacker can exploit this vulnerability by sending a valid E2AP PDU with an unexpected number of IEs, such as an E2setupRequest containing extra optional fields, over SCTP to port 36421 or 36422. The decoder will reach a hardcoded IE count assertion, leading to a process abort [1].
Impact
Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition. The near-RT RIC or iApp process terminates via SIGABRT, rendering the service unavailable [1].
Mitigation
No upstream fix was available at the time of publication. Operators are advised to limit SCTP access to trusted peers. The decoder should be modified to validate IE counts against protocol-allowed ranges and return a protocol error for unsupported message variants instead of using assert() on external input [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application uses hardcoded assertions to validate Information Element (IE) counts in E2AP messages, causing a crash when unexpected counts are encountered."
Attack vector
A remote unauthenticated attacker can trigger this vulnerability by sending a valid E2AP PDU with an unexpected number of IEs, such as an E2setupRequest containing extra optional fields [ref_id=1]. This packet is sent over SCTP to the near-RT RIC on port 36421 or the iApp on port 36422 [ref_id=1]. The decoder encounters the hardcoded assertion, which results in a SIGABRT and a denial of service [ref_id=1].
Affected code
The vulnerability is located in src/lib/e2ap/v3_01/dec/e2ap_msg_dec_asn.c within the e2ap_dec_setup_request() function, specifically at line 1486 [ref_id=1]. Additional decoder paths throughout the codebase also utilize similar hardcoded IE count assertions for other E2AP message types [ref_id=1].
What the fix does
No upstream fix is currently available for this vulnerability [ref_id=1]. Remediation requires replacing the hardcoded assertions with logic that validates IE counts against protocol-allowed ranges [ref_id=1]. If an unsupported message variant is detected, the application should return a protocol error instead of terminating the process [ref_id=1]. Operators are advised to limit SCTP access to trusted peers until a patch is implemented [ref_id=1].
Preconditions
- networkThe attacker must have network access to the near-RT RIC on port 36421 or the iApp on port 36422.
- inputThe attacker must send a valid PER-encoded E2AP PDU that contains an unexpected number of Information Elements.
Reproduction
Send a valid PER-encoded E2AP PDU with an unexpected IE count, such as an E2setupRequest with an additional IE, to a FlexRIC endpoint on SCTP port 36421 or 36422 [ref_id=1]. The decoder reaches the hardcoded IE count assertion and the process aborts [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.