VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 1, 2026

CVE-2026-37231

CVE-2026-37231

Description

FlexRIC v2.0.0 suffers from an integer wraparound vulnerability allowing remote DoS via duplicate xApp ID registration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FlexRIC v2.0.0 suffers from an integer wraparound vulnerability allowing remote DoS via duplicate xApp ID registration.

Vulnerability

FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores this value in uint32_t message fields. After approximately 65,530 or more E42_SETUP_REQUEST messages, the 16-bit counter wraps around, leading to duplicate xapp_ids. This occurs in src/ric/iApp/e42_iapp.h and src/lib/e2ap/v3_01/e2ap_types/e42_setup_response.h [1].

Exploitation

A remote attacker can trigger this vulnerability by repeatedly sending E42_SETUP_REQUEST messages over SCTP to port 36422. After the xapp_id value wraps and collides with an existing ID, the iApp process attempts to register a duplicate ID in its internal data structure [1].

Impact

When the iApp attempts to register a duplicate xapp_id, it crashes, resulting in a denial of service. In release builds, duplicate IDs can also lead to routing confusion or state corruption [1].

Mitigation

FlexRIC v2.0.0 through at least commit 6a595d8b (2025-11-12) is affected. A fix for this vulnerability is not yet disclosed in the available references. The vendor is EURECOM [1].

References
  1. oran-security-advisories-zhongnan-luo/advisories/CVE-2026-37231.md at main · MinamiKotor1/oran-security-advisories-zhongnan-luo

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"FlexRIC v2.0.0 uses inconsistent integer widths for xapp_id assignment, leading to integer overflow and wraparound."

Attack vector

A remote attacker can repeatedly send E42_SETUP_REQUEST messages to the iApp SCTP port 36422. After approximately 65,530 or more assignments, the 16-bit counter wraps around, producing duplicate xapp_ids. The iApp process crashes when attempting to register a duplicate ID in its internal data structure, causing a denial of service [ref_id=1].

Affected code

The vulnerability lies in the inconsistent integer widths used for xapp_id assignment within FlexRIC v2.0.0. Specifically, the xapp_id counter in `src/ric/iApp/e4_iapp.h` (lines 71-73) is wider than the corresponding response field in `src/lib/e2ap/v3_01/e2ap_types/e42_setup_response.h` (lines 29-33). This discrepancy allows for duplicate xapp_ids to be generated and registered [ref_id=1].

What the fix does

The advisory indicates that FlexRIC v2.0.0 uses inconsistent integer widths for xapp_id assignment. The iApp counter is wider than the E42 setup response field, which can lead to truncation, wraparound, and duplicate IDs. The iApp process crashes when registering a duplicate xapp_id. The advisory does not specify a patch or provide remediation steps beyond updating to a fixed version.

Preconditions

  • networkThe attacker needs network access to the iApp SCTP port 36422.
  • inputThe attacker must repeatedly send E42_SETUP_REQUEST messages.

Reproduction

Repeatedly send valid E42_SETUP_REQUEST messages to iApp SCTP port 36422. After the xapp_id value wraps into the 16-bit response field and collides with an existing registration, the iApp process crashes [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.