CVE-2026-37223
Description
A reachable assertion in the FlexRIC v2.0.0 iApp message dispatcher allows a remote unauthenticated attacker to cause a denial-of-service via a crafted E2AP PDU.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reachable assertion in the FlexRIC v2.0.0 iApp message dispatcher allows a remote unauthenticated attacker to cause a denial-of-service via a crafted E2AP PDU.
Vulnerability
FlexRIC v2.0.0 through at least commit 6a595d8b contains a reachable assertion in the iApp message dispatcher located in src/ric/iApp/msg_handler_iapp.c [1]. The e2ap_msg_handle_iapp() function validates incoming E2AP messages against a 9-entry whitelist using an assert() statement, which triggers a process termination if an unexpected message type is encountered [1].
Exploitation
An attacker requires network access to the SCTP port 36422 [1]. Exploitation is achieved by sending a decodable E2AP PDU containing a message type that is not present in the hardcoded whitelist [1]. Because the check is performed via assert(), the process immediately terminates upon receiving the invalid message type without requiring authentication or complex interaction [1].
Impact
Successful exploitation results in a denial-of-service condition [1]. Because the iApp and the near-RT RIC share a single process in standard deployments, the SIGABRT crash terminates the entire RIC service, leading to the disconnection of all connected E2 Nodes and xApps [1].
Mitigation
No upstream fix was available at the time of publication [1]. Operators are advised to restrict access to port 36422 to trusted xApps only [1]. Future patches should replace the assert() call with proper error handling that rejects unsupported message types gracefully [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The iApp message dispatcher uses an assert() statement to validate incoming E2AP message types against a whitelist, causing a process crash when an unexpected message type is received."
Attack vector
A remote unauthenticated attacker can trigger this vulnerability by sending a decodable E2AP PDU with a message type not included in the hardcoded whitelist to SCTP port 36422 [ref_id=1]. Because the dispatcher uses an assertion to enforce this check, the process terminates via SIGABRT upon receiving an unsupported message type [ref_id=1]. This results in a denial of service for the entire RIC service, disconnecting all connected E2 Nodes and xApps [ref_id=1].
Affected code
The vulnerability is located in the iApp message dispatcher within the file src/ric/iApp/msg_handler_iapp.c [ref_id=1]. Specifically, the issue occurs in the e2ap_msg_handle_iapp() function, lines 446-451, and the check_valid_msg_type() whitelist [ref_id=1].
What the fix does
No upstream patch is currently available to resolve this vulnerability [ref_id=1]. The advisory recommends that the dispatcher be modified to reject unsupported message types gracefully, such as by returning an error response or silently dropping the packet, rather than using an assertion on externally supplied data [ref_id=1]. In the interim, operators should restrict access to port 36422 to trusted xApps only [ref_id=1].
Preconditions
- networkThe attacker must have network access to the SCTP port 36422.
Reproduction
Send a decodable E2AP PDU with a message type outside the iApp whitelist to SCTP port 36422 [ref_id=1]. The PDU does not need to complete an E42 setup flow; the dispatcher will abort immediately after decoding and validating the message type [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.