CVE-2026-37228
7.5 HIGHFlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c)
Published: 2026-06-01 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-617
Affected products
| Vendor | Product |
|---|---|
| mosaic5g | flexric |
Description
FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-37234 — FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs (8.2 HIGH)
- CVE-2026-37235 — FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association (7.5 HIGH)
- CVE-2026-37233 — FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism (7.5 HIGH)
- CVE-2026-37231 — FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields (7.5 HIGH)
- CVE-2026-37230 — FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry (7.5 HIGH)
Same CWE
- CVE-2026-29116 — A vulnerability has been found in some Dahua products could allow an unauthenticated remote attacker to send a specially crafted packet, ...
- CVE-2026-29115 — A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, tr...
- CVE-2026-46543 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (5.3 MEDIUM)
- CVE-2026-46542 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (4.3 MEDIUM)
- CVE-2026-9750 — An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal ... (6.5 MEDIUM)