CVE-2026-37225 - Vulnerability Details

- Remote Denial of Service via E42_RIC_SUBSCRIPTION_REQUEST Validation Mismatch in FlexRIC

Description

FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.

Published: 2026-06-01

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A malformed E42_RIC_SUBSCRIPTION_REQUEST that contains an empty ricEventTriggerDefinition field triggers a validation mismatch between the E42 decoder and the E2AP encoder in FlexRIC. The decoder mistakenly accepts the empty value as valid, but the encoder later asserts a non‑empty constraint, causing the iApp process to abort with SIGABRT. An attacker can send such a request to the iApp’s listening port 36422, disrupting the service without authentication or authorization. The weakness is classified as CWE‑617, a Cross‑Layer Validation Mismatch.

Affected Systems

FlexRIC v2.0.0 – a 5G RIC open‑source component that listens on TCP port 36422. No other products or vendors are listed as affected.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5 and no EPSS value available, and it is not catalogued in CISA’s KEV. Nonetheless, the flaw permits an unauthenticated remote attacker to crash the iApp, yielding a denial of service. The attack vector is over the network, requiring the attacker to construct a valid E42 layer request with an empty ricEventTriggerDefinition field and deliver it to the service endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Mosaic5g

Flexric

80%

Version	Status	Scheme	Platform
`2.0.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest FlexRIC release that corrects the cross‑layer validation mismatch identified by CWE‑617
If a fix is not yet available, restrict access to port 36422 with a firewall or network segmentation to limit exposure to trusted hosts, mitigating the CWE‑617 weakness
Add a local pre‑processing step or configuration change that rejects E42_RIC_SUBSCRIPTION_REQUEST messages with an empty ricEventTriggerDefinition before they reach the E2AP encoder, thereby addressing the CWE‑617 vulnerability

Generated by OpenCVE AI on June 1, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00415.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37225.md
https://gitlab.eurecom.fr/mosaic5g/flexric

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mosaic5g Mosaic5g flexric
Vendors & Products		Mosaic5g Mosaic5g flexric

Tue, 02 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Remote Denial of Service via E42_RIC_SUBSCRIPTION_REQUEST Validation Mismatch in FlexRIC

Mon, 01 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Title	Crash on Empty ricEventTriggerDefinition in FlexRIC
Weaknesses	CWE-20

Mon, 01 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Title		Crash on Empty ricEventTriggerDefinition in FlexRIC
Weaknesses		CWE-20

Mon, 01 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-617
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.
References		https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37225.md https://gitlab.eurecom.fr/mosaic5g/flexric

Subscriptions

Mosaic5g Flexric

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-01T00:00:00.000Z

Updated: 2026-06-01T18:48:24.429Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37225

Vulnrichment

Updated: 2026-06-01T18:48:18.543Z

NVD

Status : Deferred

Published: 2026-06-01T17:16:58.880

Modified: 2026-06-01T21:16:42.500

Link: CVE-2026-37225

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:55:27Z

Weaknesses

CWE-617
Reachable Assertion

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object