CVE-2026-37222: FlexRIC v2
FlexRIC v2.0.0 uses hardcoded assertions to validate Information Element (IE) counts in decoded E2AP messages. A remote unauthenticated attacker can send a valid E2AP PDU containing an unexpected number of IEs (e.g., an E2setupRequest with extra optional fields) to crash the near-RT RIC (port 36421) or iApp (port 36422) via SIGABRT. The code asserts exact IE counts rather than validating against protocol-specified ranges.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A denial-of-service vulnerability exists in FlexRIC v2.0.0 caused by hardcoded assertions that check for exact Information Element (IE) counts in decoded E2AP messages. An unauthenticated attacker reachable over the network can send a specially crafted but protocol-valid E2AP PDU containing an unexpected number of IEs, triggering a SIGABRT crash in the near-RT RIC (port 36421) or iApp (port 36422). Successful exploitation crashes the affected service, disrupting RAN intelligent controller operations. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FlexRIC v2.0.0 components.
AvailableTriage is available using the CVSS v3.1 score of 7.5 (HIGH), weighted against each customer organization's compliance policy to determine severity in that environment and route findings to the appropriate team inbox.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the target service over the network; the vulnerable E2AP listener is exposed on TCP/SCTP ports 36421 and 36422.
- AuthenticationNot required
No credentials or account are needed; the attacker sends unauthenticated E2AP PDUs directly to the listening port.
- Victim interactionNot required
No user or operator action is required; the crash is triggered entirely by the attacker's inbound network message.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free as long as the port is reachable; no race conditions or special environmental factors are required.
Blast Radius
- Crashes the near-RT RIC process via SIGABRT, taking down the RAN intelligent controller and halting E2 interface processing.
- Crashes the iApp process via SIGABRT, disabling any xApp or iApp workloads that depend on it.
- All availability impact is confined to the affected FlexRIC instance; there is no evidence of data disclosure or data modification from this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists for CVE-2026-37222, the advisory is re-evaluated on every ingest cycle so that a patched-image rebuild becomes available immediately once an upstream fix is published. In the meantime, customers can apply compensating controls by using network policy to restrict inbound access to ports 36421 and 36422 to known, authorized E2 nodes only, and by enabling egress filtering to limit lateral reach if a crash is leveraged as part of a broader attack chain. Where compliance policy permits, HarborGuard can surface these network-isolation recommendations directly in the finding detail. The moment an upstream fix is published, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H