Description
FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.
Published: 2026-06-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlexRIC v2.0.0 near‑RT RIC crashes when it receives a RIC_INDICATION message containing a ran_func_id that is not present in its registry. The lookup returns NULL, causing an assert in debug builds and a null pointer dereference in release builds, resulting in SIGABRT or SIGSEGV. The flaw is a null pointer dereference (CWE‑476) and delivers a denial‑of‑service by crashing the service.

Affected Systems

The affected component is FlexRIC near‑RT RIC, version 2.0.0, found in the Mosaic5g/FlexRIC repository. It listens on TCP port 36421. No manufacturer is listed; the repository hosts the source.

Risk and Exploitability

An unauthenticated attacker can trigger the crash by sending a crafted RIC_INDICATION with arbitrary ran_func_id to port 36421. No authentication is required and the exploit is immediate and deterministic. The CVSS score is 7.5, indicating high severity. The EPSS score is < 1%, and the vulnerability is not listed in the KEV catalog, but given its simplicity it should be treated with high urgency.

Generated by OpenCVE AI on June 2, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FlexRIC to a version that has fixed the null pointer dereference in the RIC_INDICATION handling code.
  • Restrict inbound traffic to port 36421 to only trusted peers or internal networks using firewall rules.
  • Monitor the RIC process for crashes and alerts generated by SIGSEGV/SIGABRT events to detect attempted exploitation.

Generated by OpenCVE AI on June 2, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mosaic5g:flexric:2.0.0:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Mosaic5g
Mosaic5g flexric
Vendors & Products Mosaic5g
Mosaic5g flexric

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Crash via Invalid RIC_INDICATION in FlexRIC

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Crash via Invalid RIC_INDICATION in FlexRIC
Weaknesses CWE-476

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.
References

Subscriptions

Mosaic5g Flexric
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-02T15:27:19.609Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37230

cve-icon Vulnrichment

Updated: 2026-06-02T15:27:14.874Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:33.410

Modified: 2026-06-03T17:16:22.507

Link: CVE-2026-37230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:55:18Z

Weaknesses