Description
FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.
Published: 2026-06-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlexRIC v2.0.0 accepts the xapp_id field in E42 message payloads without verifying that the value belongs to the sender’s SCTP association. The validation routine simply confirms that the id lies within the assigned range, allowing an attacker to fabricate xapp_id values. By impersonating any xApp, the attacker can cause responses to be misrouted to the victim xApp, potentially corrupting the red‑black tree data structure and leading to crashes of the victim xApp, the RIC, or the iApp itself. The vulnerability enables a remote unauthenticated attacker to induce denial of service and instability across the RIC stack.

Affected Systems

The affected product is FlexRIC v2.0.0. No other vendors or product variants were listed as impacted.

Risk and Exploitability

The vulnerability is exploitable over the internet via the iApp’s listening port (36422). An attacker only needs to send a crafted E42 message containing a chosen xapp_id; no authentication is required. The EPSS score is < 1% and the flaw is not listed in the CISA KEV catalog, indicating a low likelihood of exploitation in a typical environment. The CVSS score is 7.5, indicating high severity.

Generated by OpenCVE AI on June 2, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FlexRIC to the latest patched version that binds xapp_id to the SCTP association or otherwise validates identifiers before use.
  • If an update is unavailable, restrict inbound connections to the iApp port 36422 so that only trusted, authenticated networks can reach it. Use firewall or ACL rules to block untrusted hosts.
  • Monitor network traffic for anomalous E42 messages and observe RIC logs for unexpected crashes. If the vulnerability is detected, consider temporarily disabling affected xApps until a patch can be applied.

Generated by OpenCVE AI on June 2, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mosaic5g:flexric:2.0.0:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title FlexRIC xApp ID Validation Flaw Enables Remote Unauthenticated DoS
First Time appeared Mosaic5g
Mosaic5g flexric
Vendors & Products Mosaic5g
Mosaic5g flexric

Tue, 02 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Remote xApp ID Validation Failure in FlexRIC v2.0.0
Weaknesses CWE-20

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 01 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Remote xApp ID Validation Failure in FlexRIC v2.0.0
Weaknesses CWE-20

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.
References

Subscriptions

Mosaic5g Flexric
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-02T15:52:25.219Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37235

cve-icon Vulnrichment

Updated: 2026-06-02T15:52:21.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:33.850

Modified: 2026-06-03T17:15:58.377

Link: CVE-2026-37235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:55:14Z

Weaknesses