Description
FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.
Published: 2026-06-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() that checks the size of incoming SCTP payloads against a fixed 32KB buffer. Sending a payload larger than this limit triggers the assert and results in a SIGABRT, crashing the near‑RT RIC, iApp, E2 Agent, or xApp process. In Release builds the stripped assert leads to a signed‑to‑unsigned integer overflow, potentially causing an out‑of‑bounds read. No valid E2AP protocol data unit is required, so the fault can be invoked by any malformed SCTP packet.

Affected Systems

The vulnerability resides in FlexRIC version 2.0.0 and affects all four SCTP endpoint types that listen on ports 36421 and 36422. These endpoints expose services for the near‑RT RIC, iApp, E2 Agent, and xApp components.

Risk and Exploitability

The flaw can be exploited remotely by an unauthenticated attacker who can send a single oversized SCTP packet. Because the attack does not require authentication or a valid protocol message, the attack vector is readily usable over the public network. The CVSS score is 7.5, the EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating that while active exploitation has not been confirmed, the path is available to adversaries aware of the exposed SCTP ports.

Generated by OpenCVE AI on June 2, 2026 at 16:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Notify the vendor and install a newer FlexRIC release that removes the vulnerable assertion or corrects the integer overflow.
  • Block or restrict SCTP traffic to ports 36421 and 36422 from untrusted networks, and enforce a maximum payload size in any network device or application firewall.
  • Configure the services to automatically restart on crash and monitor system logs for SIGABRT events to detect exploitation attempts.

Generated by OpenCVE AI on June 2, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mosaic5g:flexric:2.0.0:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Mosaic5g
Mosaic5g flexric
Vendors & Products Mosaic5g
Mosaic5g flexric

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Unrestricted Buffer‑Overflow Assertion Crash in FlexRIC SCTP Receiver
Weaknesses CWE-680
CWE-788

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unrestricted Buffer‑Overflow Assertion Crash in FlexRIC SCTP Receiver
Weaknesses CWE-680
CWE-788

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.
References

Subscriptions

Mosaic5g Flexric
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-02T13:02:45.307Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37228

cve-icon Vulnrichment

Updated: 2026-06-02T13:02:35.608Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:33.187

Modified: 2026-06-03T17:16:35.563

Link: CVE-2026-37228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:55:21Z

Weaknesses