CVE-2026-37227
Description
FlexRIC v2.0.0 is vulnerable to a remote denial-of-service attack via reachable assertion failures in unimplemented E2AP message handlers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 is vulnerable to a remote denial-of-service attack via reachable assertion failures in unimplemented E2AP message handlers.
Vulnerability
FlexRIC v2.0.0 through commit 6a595d8b contains multiple reachable assert(0) calls within the near-RT RIC message handler logic located in src/ric/msg_handler_ric.c [1]. These assertions are triggered when the system receives specific E2AP message types that are included in the internal whitelist but lack functional implementation, specifically affecting handlers at lines 142, 173, 302, 362, 374, 386, 398, 410, and 422 [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted, decodable E2AP PDU to the near-RT RIC process listening on SCTP port 36421 [1]. Because the message types pass the initial whitelist validation, the application dispatches the request to the corresponding stub handler, which executes the unconditional assertion and causes the process to terminate [1].
Impact
Successful exploitation results in a denial-of-service condition, as the near-RT RIC process crashes via SIGABRT [1]. This prevents the RIC from performing its intended functions, effectively disrupting the O-RAN control plane operations managed by the affected instance [1].
Mitigation
No upstream fix is currently available [1]. Operators are advised to restrict access to the E2 SCTP port 36421 to trusted nodes only to prevent unauthorized message injection [1]. Developers should replace the assert(0) calls in the stub handlers with logic that returns appropriate protocol error responses or gracefully ignores unsupported messages [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The near-RT RIC contains reachable assert(0) calls in stub handlers for unimplemented E2AP message types."
Attack vector
A remote unauthenticated attacker can trigger a denial of service by sending a decodable E2AP PDU of a whitelisted but unimplemented type to the near-RT RIC process on SCTP port 36421 [ref_id=1]. The message successfully passes the initial whitelist validation but subsequently reaches an unconditional assertion failure within the message handler [ref_id=1]. This causes the process to abort via SIGABRT [ref_id=1].
Affected code
The vulnerability is located in src/ric/msg_handler_ric.c [ref_id=1]. Specifically, the affected handler lines are 142, 173, 302, 362, 374, 386, 398, 410, and 422 [ref_id=1].
What the fix does
No upstream fix is currently available for this vulnerability [ref_id=1]. The advisory recommends that operators restrict E2 SCTP access to trusted nodes to mitigate the risk [ref_id=1]. Future remediation should involve replacing the assert(0) calls in the stub handlers with logic that returns appropriate protocol errors or ignores unsupported messages [ref_id=1].
Preconditions
- networkThe attacker must have network access to the near-RT RIC process on SCTP port 36421.
- inputThe attacker must send a decodable E2AP PDU that is whitelisted but unimplemented by the near-RT RIC.
Reproduction
Send a decodable E2AP PDU for one of the whitelisted but unimplemented message types (e.g., E2nodeConfigurationUpdate) to SCTP port 36421 [ref_id=1]. The message passes the near-RT RIC whitelist and dispatches to a stub handler that unconditionally asserts, causing the process to crash [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.