CVE-2026-37232
Description
OpenAirInterface5G 2.4.0's nr-softmodem crashes due to a divide-by-zero error in PRB metric calculation, causing 5G cell service interruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenAirInterface5G 2.4.0's nr-softmodem crashes due to a divide-by-zero error in PRB metric calculation, causing 5G cell service interruption.
Vulnerability
An integer division by zero vulnerability exists in OpenAirInterface5G 2.4.0 (nr-softmodem) within the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) calculate PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking if the divisor is zero. This affects OpenAirInterface5G 2.4.0 when integrated with the FlexRIC E2 Agent [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a high volume of E42_RIC_SUBSCRIPTION_REQUEST messages via the FlexRIC iApp (SCTP port 36422). This causes the E2 Agent to generate KPM Indication reports at a high frequency. If two consecutive sampling intervals result in identical total_prb_aggregate values, the divisor becomes zero, triggering the vulnerability [1].
Impact
Successful exploitation leads to a SIGFPE signal, causing the nr-softmodem process to crash. This results in a complete interruption of 5G cell service for all connected User Equipment (UEs), impacting the availability of the network [1].
Mitigation
This vulnerability has been fixed in OpenAirInterface5G. The specific patched version and release date are not yet disclosed in the available references. No workarounds are mentioned. The vulnerability is listed as CWE-369 [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: =2.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The calculation of PRB usage percentages divides by the difference between two consecutive total_prb_aggregate samples without checking for a zero divisor."
Attack vector
A malicious xApp can send a high volume of E42_RIC_SUBSCRIPTION_REQUEST messages via the FlexRIC iApp on port 36422/SCTP. This causes the E2 Agent to generate KPM Indication reports at a high frequency. If two consecutive sampling intervals result in identical PRB aggregate values, the divisor becomes zero, triggering a SIGFPE signal and crashing the nr-softmodem process [ref_id=1].
Affected code
The vulnerability exists in the functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() located in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c at lines 182 and 197 respectively [ref_id=1]. These functions are responsible for calculating the PRB utilization metric.
What the fix does
The patch prevents the crash by adding a check to ensure the divisor is not zero before performing the division. This addresses the vulnerability where identical consecutive PRB aggregate samples could lead to a division by zero error [ref_id=1]. The fix ensures that the PRB utilization metric calculation is safe even under high-frequency reporting conditions.
Preconditions
- authNo authentication is required to trigger the vulnerability [ref_id=1].
- networkThe attack is triggered via SCTP port 36422 [ref_id=1].
- inputA high volume of E42_RIC_SUBSCRIPTION_REQUEST messages must be sent.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.