VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 1, 2026

CVE-2026-37226

CVE-2026-37226

Description

FlexRIC v2.0.0 is vulnerable to a NULL pointer dereference, allowing remote attackers to crash the iApp process by sending a crafted subscription request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FlexRIC v2.0.0 is vulnerable to a NULL pointer dereference, allowing remote attackers to crash the iApp process by sending a crafted subscription request.

Vulnerability

FlexRIC v2.0.0 is affected by a NULL pointer dereference vulnerability in the find_map_e2_node_sad() function within src/ric/map_e2_node_sockaddr.c. When the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node, the lookup function returns NULL. In Debug builds, this is caught by an assert(), causing a SIGABRT, while in Release builds, the NULL pointer is dereferenced, leading to a SIGSEGV crash [1].

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by sending an E42_RIC_SUBSCRIPTION_REQUEST over SCTP to port 36422. The request must reference an arbitrary, non-existent global_e2_node_id. This triggers the NULL pointer dereference, leading to a denial-of-service condition [1].

Impact

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to crash the iApp process. This results in a denial-of-service (DoS) for the RIC service co-located with the iApp, impacting its availability [1].

Mitigation

No upstream fix was available at the time of publication. Operators are advised to restrict xApp access to trusted clients and ensure that subscription requests target known E2 nodes. The vulnerability exists in FlexRIC v2.0.0 through at least commit 6a595d8b (2025-11-12) [1].

References
  1. oran-security-advisories-zhongnan-luo/advisories/CVE-2026-37226.md at main · MinamiKotor1/oran-security-advisories-zhongnan-luo

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The iApp process dereferences a NULL pointer when a subscription request references a non-existent E2 node."

Attack vector

A remote, unauthenticated attacker can send an E42_RIC_SUBSCRIPTION_REQUEST message to the iApp's SCTP port 36422 [ref_id=1]. This request should reference an arbitrary global_e2_node_id that is not present in the FlexRIC's E2 node mapping [ref_id=1]. This triggers a lookup function that returns NULL, leading to a crash.

Affected code

The vulnerability resides in the `find_map_e2_node_sad()` function within `src/ric/map_e2_node_sockaddr.c` [ref_id=1]. Specifically, lines 154-160 are affected, where a lookup result is dereferenced after an assertion-based existence check [ref_id=1].

What the fix does

The advisory does not specify a patch. It recommends that operators restrict xApp access to trusted clients and ensure subscriptions target known E2 nodes [ref_id=1]. The advisory suggests that the lookup function should return an explicit not-found error and the subscription path should reject requests for unknown E2 nodes [ref_id=1].

Preconditions

  • authThe attacker does not need any authentication.
  • networkThe attacker must be able to reach the iApp's SCTP port 36422.
  • inputThe attacker must send an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 node.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.