CVE-2026-37235
Description
FlexRIC v2.0.0 allows remote attackers to impersonate xApps by exploiting improper xapp_id validation, potentially crashing the RIC.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 allows remote attackers to impersonate xApps by exploiting improper xapp_id validation, potentially crashing the RIC.
Vulnerability
FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The valid_xapp_id() function only checks if the xapp_id is within an assigned range, not if the request originates from the legitimate sender. This affects FlexRIC v2.0.0 through at least commit 6a595d8b [1].
Exploitation
A remote, unauthenticated attacker can send an E42_RIC_SUBSCRIPTION_REQUEST to the iApp on port 36422, specifying a victim xApp's xapp_id. The iApp processes this request as if it originated from the victim xApp, as the validation function does not verify the SCTP association [1].
Impact
By impersonating another xApp, an attacker can cause responses to be misrouted to the victim xApp. This can lead to state inconsistencies in the red-black tree data structure, potentially crashing the victim xApp, the near-RT RIC, or the iApp itself [1].
Mitigation
No upstream fix was available at the time of publication. Operators should restrict iApp access to trusted xApps and monitor for suspicious activity. The affected component is src/ric/iApp/msg_handler_iapp.c [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association."
Attack vector
A remote unauthenticated attacker can send an E42_RIC_SUBSCRIPTION_REQUEST with a victim's xapp_id over SCTP to port 36422 [ref_id=1]. The xapp_id values are predictable and enumerable, allowing an attacker to impersonate any xApp. The iApp checks only the numeric range of the xapp_id and processes the request as if it came from the victim xApp [ref_id=1].
Affected code
The vulnerability lies in the `valid_xapp_id()` function within `src/ric/iApp/msg_handler_iapp.c` [ref_id=1]. This function, along with E42 request handling paths that trust the payload xapp_id, fails to verify the origin of the request against the SCTP association assigned during E42 setup [ref_id=1]. The mapping between xApp ID and SCTP association is handled in `src/ric/iApp/map_xapps_sockaddr.c` [ref_id=1].
What the fix does
The advisory does not specify a patch or fix. It recommends that operators restrict iApp access to trusted xApps and monitor requests that claim identities [ref_id=1]. This guidance aims to mitigate the vulnerability by preventing unauthorized access and detecting malicious activity.
Preconditions
- networkNetwork access to the iApp SCTP port 36422.
- inputKnowledge of a victim xApp's assigned xapp_id.
Reproduction
Connect to iApp SCTP port 36422 and send an E42 request containing another xApp's assigned xapp_id, such as an E42_RIC_SUBSCRIPTION_REQUEST. The iApp checks only the numeric range and processes the request as if it came from the victim xApp, which can misroute responses and corrupt state [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.