CVE-2026-37234
Description
FlexRIC v2.0.0 allows resource leaks and state corruption via multiple SCTP E42_SETUP_REQUESTs, enabling remote attackers to cause denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 allows resource leaks and state corruption via multiple SCTP E42_SETUP_REQUESTs, enabling remote attackers to cause denial of service.
Vulnerability
FlexRIC v2.0.0 through at least commit 6a595d8b (2025-11-12) allows a single SCTP connection to bind multiple xapp_id values by sending multiple E42_SETUP_REQUEST messages. The vulnerability resides in src/ric/iApp/msg_handler_iapp.c within the e2ap_handle_e42_setup_request_iapp() function, where new xapp_ids are allocated without checking if the SCTP association already has an assigned xApp identity [1].
Exploitation
A remote, unauthenticated attacker can exploit this vulnerability by establishing a single SCTP connection to port 36422 and sending multiple E42_SETUP_REQUEST messages. After the server processes these requests, the attacker can then disconnect the SCTP connection. The vulnerability is triggered because the disconnect handling path only cleans up resources for the first registered xapp_id [1].
Impact
Successful exploitation leads to stale xapp_id entries and subscriptions remaining in the iApp. This accumulation can cause resource exhaustion and state corruption over time, potentially resulting in a denial-of-service condition. The vulnerability is rated High with a CVSS 3.1 score of 8.2, indicating significant impact on availability and integrity [1].
Mitigation
No patched version or specific mitigation steps are disclosed in the available references. The affected versions are FlexRIC v2.0.0 through at least commit 6a595d8b (2025-11-12) [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The cleanup logic for disconnected SCTP associations only removes the first registered xApp ID, leaving subsequent ones and their associated state as stale entries."
Attack vector
A remote, unauthenticated attacker can establish a single SCTP connection to the iApp port (36422) and send multiple E42_SETUP_REQUEST messages. After registering multiple xapp_ids to this connection, the attacker can then disconnect. This sequence of actions triggers the vulnerability, allowing for the exploitation of stale entries.
Affected code
The vulnerability resides in the `e2ap_handle_e42_setup_request_iapp()` function within `src/ric/iApp/msg_handler_iapp.c`. Specifically, lines 238-257 are involved in the setup handler, which allocates new xapp_ids without checking for existing associations. The disconnect handling path in `src/ric/iApp/e42_iapp.c`, lines 237-244, is also implicated as it fails to clean up all associated xapp_ids.
What the fix does
The advisory does not specify a patch or provide details on a fix. It indicates that the vulnerability lies in the handling of disconnect notifications where only one xapp_id is processed for cleanup, leaving others orphaned. Remediation guidance would typically involve ensuring all registered xapp_ids associated with a disconnected SCTP connection are properly cleaned up.
Preconditions
- networkAn attacker must be able to establish an SCTP connection to the iApp port (36422).
- authThe attacker does not require any authentication.
Reproduction
Open one SCTP connection to iApp port 36422 and send multiple valid E42_SETUP_REQUEST messages on that same connection. The iApp returns multiple different xapp_id values for one SCTP association.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.