CVE-2026-37229
Description
FlexRIC v2.0.0 has a reachable assertion in e2ap_create_pdu() that allows remote attackers to crash the process via malformed ASN.1 PER data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 has a reachable assertion in e2ap_create_pdu() that allows remote attackers to crash the process via malformed ASN.1 PER data.
Vulnerability
FlexRIC v2.0.0 contains a reachable assertion in the e2ap_create_pdu() function, triggered when ASN.1 PER decoding fails. This vulnerability affects all three E2AP protocol versions (v1.01, v2.03, v3.01) and is located in the ASN.1 decoding modules for each version [1].
Exploitation
A remote, unauthenticated attacker can exploit this vulnerability by sending any non-PER byte sequence, such as a single 0x00 byte, over SCTP to the near-RT RIC (port 36421) or iApp (port 36422). The assertion is reached before any protocol-level validation occurs, allowing the malformed input to directly cause a crash [1].
Impact
Successful exploitation of this vulnerability will cause the near-RT RIC or iApp process to terminate via SIGABRT, resulting in a denial of service. The attacker gains no further privileges or access beyond crashing the targeted process [1].
Mitigation
No upstream fix was available at the time of publication. Operators are advised to restrict SCTP access to trusted peers. The recommended approach is to treat decode failures as normal malformed input and handle them by rejecting or dropping the message instead of asserting [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A reachable assertion in e2ap_create_pdu() occurs when ASN.1 PER decoding fails."
Attack vector
A remote, unauthenticated attacker can send any non-PER byte sequence, such as a single 0x00 byte, over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) [ref_id=1]. This input is processed before any protocol-level validation, leading to a crash. The assertion is reached due to a failure in the ASN.1 decode helper, which expects a successful return code [ref_id=1].
Affected code
The vulnerability resides in the `e2ap_create_pdu()` function within the ASN.1 decoding logic. This function is present in multiple version-specific files: `src/lib/e2ap/v1_01/dec/e2ap_msg_dec_asn.c`, `src/lib/e2ap/v2_03/dec/e2ap_msg_dec_asn.c`, and `src/lib/e2ap/v3_01/dec/e2ap_msg_dec_asn.c` [ref_id=1].
What the fix does
The advisory does not specify a patch or fix. It recommends that operators restrict SCTP access to trusted peers. Additionally, it suggests that decode failures should be handled as normal malformed input by rejecting or dropping the message, rather than triggering an assertion [ref_id=1].
Preconditions
- networkThe attacker must be able to send data over SCTP to the target ports (36421 or 36422).
- authThe attacker does not require any authentication.
- inputThe attacker must send a non-PER byte sequence, such as a single 0x00 byte.
Reproduction
Send a short malformed or non-PER SCTP payload, such as a single 0x00 byte, to a FlexRIC endpoint on port 36421 or 36422. The endpoint attempts ASN.1 PER decoding and aborts when the decoder returns a non-RC_OK result [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.