VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 1, 2026

CVE-2026-37228

CVE-2026-37228

Description

FlexRIC v2.0.0 has a reachable assertion in e2ap_recv_sctp_msg() that allows remote attackers to crash processes by sending oversized SCTP messages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FlexRIC v2.0.0 has a reachable assertion in e2ap_recv_sctp_msg() that allows remote attackers to crash processes by sending oversized SCTP messages.

Vulnerability

FlexRIC v2.0.0 contains a reachable assertion in the e2ap_recv_sctp_msg() function located in src/lib/ep/e2ap_ep.c. The function allocates a fixed 32KB receive buffer and asserts that the return value from sctp_recvmsg() is less than the buffer length. This vulnerability affects FlexRIC v2.0.0 through at least commit 6a595d8b [1].

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by sending a single SCTP message with a payload size greater than or equal to 32,768 bytes to either port 36421 or 36422. The payload does not need to be a valid E2AP PDU. The vulnerable code path is shared by the near-RT RIC, iApp, E2 Agent, and xApp endpoint types [1].

Impact

Successful exploitation causes the near-RT RIC, iApp, E2 Agent, or xApp process to terminate via SIGABRT. In release builds where assertions are stripped, this condition can lead to incorrect length handling and a potential out-of-bounds read, which could have further security implications [1].

Mitigation

No upstream fix was available at the time of publication. Operators are advised to restrict access to SCTP ports 36421 and 36422 to trusted peers and filter oversized messages where possible. The receive path should handle MSG_EOR and other relevant SCTP message flags appropriately [1].

References
  1. oran-security-advisories-zhongnan-luo/advisories/CVE-2026-37228.md at main · MinamiKotor1/oran-security-advisories-zhongnan-luo

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A reachable assertion in the SCTP message receive function allows an attacker to cause a denial of service."

Attack vector

A remote, unauthenticated attacker can send a single SCTP message with a payload size greater than or equal to 32,768 bytes to FlexRIC endpoints on ports 36421 or 36422. This message does not need to be a valid E2AP PDU. The vulnerability is triggered before any protocol-level decoding or validation occurs [ref_id=1].

Affected code

The vulnerability resides in the `e2ap_recv_sctp_msg()` function located in `src/lib/ep/e2ap_ep.c`. This function handles SCTP messages for the near-RT RIC, iApp, E2 Agent, and xApp endpoints [ref_id=1].

What the fix does

The advisory does not specify a patch or fix. It recommends that operators restrict SCTP ports to trusted peers and filter oversized messages where possible. The receive path should be updated to handle MSG_EOR, oversized records, and receive operations correctly [ref_id=1].

Preconditions

  • authThe attacker is unauthenticated.
  • networkThe attacker has network access to the FlexRIC endpoints on ports 36421 or 36422.
  • inputThe attacker can send a single SCTP message with a payload size of at least 32,768 bytes.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.