Description
An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required.
Published: 2026-06-01
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the PRB utilization metric calculation within OpenAirInterface5G 2.4.0. The code divides by the difference of two consecutive total_prb_aggregate samples without verifying that the divisor is non-zero. When two samples are identical, the operation triggers a floating‑point exception, crashing the entire nr-softmodem process and bringing down the base station. This results in an abrupt and comprehensive loss of service for all user equipments attached to the cell. No authentication is required before an attacker can trigger the vulnerability, making it straightforward to exploit. The weakness is essentially a division-by-zero error.

Affected Systems

This issue affects the OpenAirInterface5G 2.4.0 openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c implementation of the E2SM-KPM RAN Function. The software component lives in the base station’s nr-softmodem process, which is responsible for running the 5G radio access network. No other products or vendor versions are specified in the advisory.

Risk and Exploitability

Executing the exploit requires no authentication and can be performed by an adversary who can send a high volume of E42_RIC_SUBSCRIPTION_REQUEST messages to the FlexRIC iApp via port 36422/SCTP. The CVSS score is 8.6 and the EPSS score is < 1%, signifying a high‑severity vulnerability with a very low but non-zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting that no confirmed public exploitation has been reported yet, although the potential for widespread denial of service remains high.

Generated by OpenCVE AI on June 2, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch for OpenAirInterface5G 2.4.0 that validates the divisor before performing the division
  • If a patch is unavailable, block or rate‑limit traffic to port 36422/SCTP to prevent high‑frequency subscription requests
  • Configure the network to isolate or sandbox the E2 agent process so that a crash does not bring down the entire base station

Generated by OpenCVE AI on June 2, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openairinterface:openairinterface5g:2.4.0:*:*:*:*:*:*:*

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title PRB Utilization Metric Division by Zero Crash

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title PRB Utilization Metric Division by Zero Crash
Weaknesses CWE-369

Mon, 01 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openairinterface
Openairinterface openairinterface5g
Vendors & Products Openairinterface
Openairinterface openairinterface5g

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required.
References

Subscriptions

Openairinterface Openairinterface5g
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-02T12:54:18.244Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37232

cve-icon Vulnrichment

Updated: 2026-06-02T12:54:04.454Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:33.623

Modified: 2026-06-03T20:26:10.120

Link: CVE-2026-37232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses