How is CVE-2026-37221 exploited?

Network reachability (required): The near-RT RIC listens on port 36421 over the network; an attacker must be able to reach that port to deliver the forged RIC_SUBSCRIPTION_RESPONSE message. Authentication (not-required): The CVSS vector specifies PR:N, meaning no credentials or prior account access are needed to send the malicious message. Victim interaction (not-required): The CVSS vector specifies UI:N; the crash is triggered by the forged network message alone, with no action required from any user or operator. Attack complexity (info): The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions beyond network access.

What is the impact of CVE-2026-37221?

Crashes the near-RT RIC process on the target host (SIGABRT in Debug builds, SIGSEGV in Release builds), terminating the controller. Takes the affected near-RT RIC offline, disrupting RAN resource management and any dependent O-RAN control loops for the duration of the outage. No confidentiality or integrity impact is indicated; the attacker gains no read or write access to data, only the ability to crash the service.

Back to search

HIGHCVE-2026-37221Published 2026-06-01Modified 2026-06-01CNA mitre

CVE-2026-37221: FlexRIC v2

FlexRIC v2.0.0 crashes when receiving a RIC_SUBSCRIPTION_RESPONSE with an unknown ric_id that has no corresponding pending event. The near-RT RIC uses assert() to enforce the existence of a pending event during response processing. A remote unauthenticated attacker can send a forged RIC_SUBSCRIPTION_RESPONSE to the near-RT RIC (port 36421) to cause SIGABRT in Debug builds or NULL pointer dereference (SIGSEGV) in Release builds.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in FlexRIC v2.0.0, an open-source near-RT RAN Intelligent Controller. The flaw is reachable over the network with no authentication required, matching the CVSS vector (AV:N/PR:N). A remote attacker who sends a forged RIC_SUBSCRIPTION_RESPONSE message containing an unknown ric_id causes the process to crash via SIGABRT in Debug builds or a NULL pointer dereference (SIGSEGV) in Release builds, taking the near-RT RIC offline. No fix version has been published; HarborGuard tracks the upstream advisory and will surface a patched-image rebuild the moment one becomes available.

HarborGuard Coverage

Detection

Detection for CVE-2026-37221 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle FlexRIC v2.0.0.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.5 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to determine urgency; alerts are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers can apply compensating controls such as network-policy isolation of port 36421 to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The near-RT RIC listens on port 36421 over the network; an attacker must be able to reach that port to deliver the forged RIC_SUBSCRIPTION_RESPONSE message.
AuthenticationNot required
The CVSS vector specifies PR:N, meaning no credentials or prior account access are needed to send the malicious message.
Victim interactionNot required
The CVSS vector specifies UI:N; the crash is triggered by the forged network message alone, with no action required from any user or operator.
Attack complexityDetail
The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions beyond network access.

Blast Radius

Crashes the near-RT RIC process on the target host (SIGABRT in Debug builds, SIGSEGV in Release builds), terminating the controller.
Takes the affected near-RT RIC offline, disrupting RAN resource management and any dependent O-RAN control loops for the duration of the outage.
No confidentiality or integrity impact is indicated; the attacker gains no read or write access to data, only the ability to crash the service.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-37221 is active for any image that includes FlexRIC v2.0.0, and findings are surfaced in the customer dashboard with a 7.5 HIGH severity rating. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads, the moment a fix version is published. While waiting for an upstream fix, customers are advised to restrict inbound access to port 36421 using Kubernetes NetworkPolicy or equivalent firewall rules, limiting exposure to trusted xApp and E2 node sources only. Customers whose compliance policy flags unpatched HIGH-severity CVEs for escalation will have this finding routed to the appropriate team inbox without manual intervention.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified