How is CVE-2026-37220 exploited?

Network reachability (required): The attacker must reach the near-RT RIC service over the network; port 36421 must be accessible from the attacker's position. Authentication (not-required): No credentials or session tokens are needed; completing the SCTP three-way handshake is sufficient to trigger the crash. Victim interaction (not-required): The crash is triggered entirely by the attacker's own connection and disconnection sequence, with no action required from any user or operator. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs to open and close an SCTP connection, with no timing constraints or environmental dependencies.

What is the impact of CVE-2026-37220?

Crashes the near-RT RIC process, immediately halting all E2 interface control-plane operations for connected RAN nodes. Takes down O-RAN network intelligence functions that depend on the near-RT RIC, interrupting policy enforcement and real-time RAN management for the duration of the outage. Allows repeated triggering on process restart, enabling a sustained denial-of-service with minimal attacker effort.

Back to search

HIGHCVE-2026-37220Published 2026-06-01Modified 2026-06-01CNA mitre

CVE-2026-37220: FlexRIC v2

FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2_SETUP_REQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert(). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by simply completing an SCTP handshake and immediately disconnecting, without sending any E2AP message.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in FlexRIC v2.0.0, specifically in its near-RT RIC (Radio Intelligent Controller) component. The flaw is reachable over the network with no authentication required: an attacker completes an SCTP handshake on port 36421 and immediately drops the connection before sending any E2AP message, triggering a failed assert() that crashes the process. Successful exploitation causes a full service disruption of the near-RT RIC, taking down the O-RAN control plane for any connected E2 nodes. HarborGuard is tracking this advisory for patch availability since no fix version has been published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-37220 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package FlexRIC v2.0.0 or derived O-RAN components.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (HIGH) using the published v3.1 vector and applies per-environment compliance policy weighting to determine urgency and routing, directing alerts to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression test run, and pull request against affected workloads will be initiated without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the near-RT RIC service over the network; port 36421 must be accessible from the attacker's position.
AuthenticationNot required
No credentials or session tokens are needed; completing the SCTP three-way handshake is sufficient to trigger the crash.
Victim interactionNot required
The crash is triggered entirely by the attacker's own connection and disconnection sequence, with no action required from any user or operator.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to open and close an SCTP connection, with no timing constraints or environmental dependencies.

Blast Radius

Crashes the near-RT RIC process, immediately halting all E2 interface control-plane operations for connected RAN nodes.
Takes down O-RAN network intelligence functions that depend on the near-RT RIC, interrupting policy enforcement and real-time RAN management for the duration of the outage.
Allows repeated triggering on process restart, enabling a sustained denial-of-service with minimal attacker effort.

How HarborGuard Handles This

Available on HarborGuard: matching for CVE-2026-37220 runs against all scanned images on every ingest cycle, including custom images that bundle FlexRIC or O-RAN components. Because no upstream patch exists yet, the primary immediate capability is detection and alerting. As compensating controls, customers should consider restricting access to SCTP port 36421 with a strict network policy that whitelists only known E2 node addresses, applying egress and ingress filtering at the cluster or host boundary to limit the attacker pool, and where operationally feasible, placing the near-RT RIC behind a load balancer or proxy that validates association state before forwarding. HarborGuard monitors the upstream FlexRIC advisory and will make a patched-image rebuild available, along with an automatic rebuild, regression run, and PR for customers with auto-remediation enabled, as soon as the upstream project publishes a fix.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified