CVE-2026-37225
Description
A cross-layer validation mismatch in FlexRIC v2.0.0 allows a remote unauthenticated attacker to trigger a process crash via a malformed E42 subscription request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-layer validation mismatch in FlexRIC v2.0.0 allows a remote unauthenticated attacker to trigger a process crash via a malformed E42 subscription request.
Vulnerability
FlexRIC v2.0.0 through commit 6a595d8b contains a reachable assertion vulnerability (CWE-617) due to a validation mismatch between the E42 layer decoder and the E2AP encoder. The E42 decoder incorrectly accepts an empty ricEventTriggerDefinition field in an E42_RIC_SUBSCRIPTION_REQUEST, but the subsequent E2AP encoder enforces a non-empty constraint, leading to an assertion failure when the request is processed [1].
Exploitation
An attacker can exploit this vulnerability without authentication by sending a crafted E42_RIC_SUBSCRIPTION_REQUEST containing an empty ricEventTriggerDefinition field to the iApp process listening on SCTP port 36422. The mismatch between the decoder and encoder logic causes the application to trigger a SIGABRT signal, resulting in an immediate process termination [1].
Impact
Successful exploitation results in a denial of service (DoS) condition for the iApp process. Because the process terminates via an assertion failure, the service becomes unavailable to legitimate xApps, impacting the overall functionality of the O-RAN RIC deployment [1].
Mitigation
No upstream fix was available at the time of publication. Operators are advised to restrict network access to the iApp port to trusted xApps only. A permanent fix requires updating the E42 decoder to enforce the same non-empty constraints as the E2AP encoder, ensuring that invalid requests are rejected before reaching the encoding stage [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A cross-layer validation mismatch occurs because the E42 decoder accepts an empty ricEventTriggerDefinition that the E2AP encoder subsequently rejects via an assertion."
Attack vector
A remote unauthenticated attacker can trigger a denial of service by sending a crafted E42_RIC_SUBSCRIPTION_REQUEST to the iApp process on SCTP port 36422 [ref_id=1]. The request must contain an empty ricEventTriggerDefinition field [ref_id=1]. This payload bypasses initial decoding checks but causes the process to terminate via SIGABRT when the E2AP encoder encounters a non-empty constraint assertion [ref_id=1].
Affected code
The vulnerability is located in the E42 subscription request decoding logic within src/lib/e2ap/v3_01/dec/e2ap_msg_dec_asn.c at lines 548-551 [ref_id=1]. The assertion failure occurs during E2AP subscription request encoding in src/lib/e2ap/v3_01/enc/e2ap_msg_enc_asn.c at line 340 [ref_id=1].
What the fix does
No upstream patch is currently available to resolve this vulnerability [ref_id=1]. Remediation requires updating the E42 decoder to enforce the same non-empty constraints as the E2AP encoder, ensuring invalid requests are rejected before they reach the encoding stage [ref_id=1]. Operators are advised to restrict access to the iApp to trusted xApps until a fix is implemented [ref_id=1].
Preconditions
- networkThe attacker must have network access to the iApp process on SCTP port 36422.
Reproduction
Connect to the iApp on SCTP port 36422 and send an E42_RIC_SUBSCRIPTION_REQUEST whose ricEventTriggerDefinition field is empty [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.