VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 1, 2026

CVE-2026-37230

CVE-2026-37230

Description

FlexRIC v2.0.0 is vulnerable to a NULL pointer dereference, allowing remote attackers to crash the near-RT RIC by sending a crafted RIC_INDICATION message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FlexRIC v2.0.0 is vulnerable to a NULL pointer dereference, allowing remote attackers to crash the near-RT RIC by sending a crafted RIC_INDICATION message.

Vulnerability

FlexRIC v2.0.0 is affected by a NULL pointer dereference vulnerability in src/ric/plugin_ric.c within the sm_plugin_ric() function. When the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its service model registry, the lookup returns NULL. This leads to an assert() in Debug builds or a NULL pointer dereference in Release builds [1].

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted RIC_INDICATION message with an arbitrary or non-existent ran_func_id to the near-RT RIC's SCTP port 36421. The vulnerability is triggered when the indication handler attempts to use the NULL service model pointer returned by the failed lookup [1].

Impact

Successful exploitation of this vulnerability will cause the near-RT RIC to crash. In Debug builds, this results in a SIGABRT due to an assertion failure, while in Release builds, it leads to a SIGSEGV from a NULL pointer dereference. This constitutes a denial-of-service condition [1].

Mitigation

No upstream fix was available at the time of publication for FlexRIC v2.0.0. Operators are advised to restrict E2 SCTP access to trusted nodes. Additionally, the RIC should validate ran_func_id values and reject indications for unregistered service models without dereferencing a null lookup result [1].

References
  1. oran-security-advisories-zhongnan-luo/advisories/CVE-2026-37230.md at main · MinamiKotor1/oran-security-advisories-zhongnan-luo

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The near-RT RIC mishandles RIC_INDICATION messages with non-existent ran_func_id values, leading to a NULL pointer dereference."

Attack vector

A remote, unauthenticated attacker can send a crafted RIC_INDICATION message over SCTP to port 36421. This message should contain an arbitrary or non-existent ran_func_id value, such as 9999. The near-RT RIC will then attempt to process this invalid ID, triggering the vulnerability. [ref_id=1].

Affected code

The vulnerability resides in the `sm_plugin_ric()` function within `src/ric/plugin_ric.c`, specifically on lines 196-209. The `e2ap_handle_indication_ric()` function in `src/ric/msg_handler_ric.c` is also involved in the indication handling path that uses the returned service model pointer. [ref_id=1].

What the fix does

The advisory does not specify a patch or upstream fix. It recommends that operators restrict E2 SCTP access to trusted nodes. Additionally, it suggests that the RIC should validate ran_func_id values and reject indications for unregistered service models without dereferencing a null lookup result. [ref_id=1].

Preconditions

  • networkThe attacker must be able to send SCTP traffic to port 36421 of the near-RT RIC.
  • authThe attacker does not require any authentication.
  • inputThe attacker must send a crafted RIC_INDICATION message with an invalid ran_func_id.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.