FlexRIC v2.0.0 accepts multiple SCTP connections attempting to register distinct xapp_ids by sending successive E42_SETUP_REQUEST messages. After a disconnect, only the first registered xapp_id’s resources are released, while the remaining xapp_ids and their subscriptions persist as stale entries. An attacker controlling a remote SCTP session can repeatedly exploit this flaw to expose subscription state information within the iApp, potentially exhausting system resources or corrupting application state over time. The weakness represents improper resource cleanup leading to state leakage. Based on the description, the impact is primarily a gradual degradation of service reliability and confidentiality of subscription data.

All deployments of FlexRIC version 2.0.0 produced by the Mosaic5G project (identified by the GitLab repository gitlab.eurecom.fr/mosaic5g/flexric). If other vendors ship the same codebase without updating, those products are also vulnerable.

The CVSS score is 8.2, indicating a high severity vulnerability that can be exploited over a remote SCTP connection and used repeatedly to create a denial‑of‑service condition. The EPSS score is < 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need open network access to an FlexRIC instance and the ability to establish SCTP connections. Once connected, they could send multiple E42_SETUP_REQUEST packets, then disconnect to trigger the resource leak, thereby causing accumulation of stale subscriptions and exposing sensitive state.