How is CVE-2026-37223 exploited?

Network reachability (required): The attacker must reach port 36422 over the network to deliver a malformed E2AP PDU to the iApp dispatcher. Authentication (not-required): No credentials or session token are needed; the vulnerable code path is exercised by any unauthenticated network sender. Victim interaction (not-required): No user action is required; the crash is triggered purely by the attacker sending the crafted packet. Attack complexity (info): Exploit is reliable and condition-free; any decodable E2AP PDU with a message type outside the 9-entry whitelist is sufficient to trigger the abort.

What is the impact of CVE-2026-37223?

Crashes the iApp process via SIGABRT, taking down the entire near-RT RIC service. Disconnects all E2 Nodes that maintain sessions through the RIC, dropping active radio coordination. Disconnects all xApps relying on the RIC, disrupting any real-time RAN intelligence or control loops they provide. Service remains unavailable until the process is manually or automatically restarted, with no data confidentiality or integrity impact.

Back to search

HIGHCVE-2026-37223Published 2026-06-01Modified 2026-06-01CNA mitre

CVE-2026-37223: FlexRIC v2

FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher. The dispatcher validates incoming E2AP messages against a 9-entry whitelist using assert(). A remote unauthenticated attacker can send any decodable E2AP PDU with a message type not in the whitelist to crash the iApp process (port 36422) via SIGABRT. Since iApp and the near-RT RIC share one process, this terminates the entire RIC service and disconnects all E2 Nodes and xApps.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reachable-assertion denial of service in FlexRIC v2.0.0 affects the iApp message dispatcher. A remote, unauthenticated attacker can send a valid but unlisted E2AP PDU to port 36422, triggering an assert() call that aborts the process via SIGABRT. Because iApp and the near-RT RIC share a single process, the crash terminates the entire RIC service and disconnects all E2 Nodes and xApps. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-37223 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle FlexRIC v2.0.0.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and applies per-environment compliance policy weighting to determine escalation priority. Triage findings are routed to the appropriate team inbox within each customer organization based on their configured policy rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach port 36422 over the network to deliver a malformed E2AP PDU to the iApp dispatcher.
AuthenticationNot required
No credentials or session token are needed; the vulnerable code path is exercised by any unauthenticated network sender.
Victim interactionNot required
No user action is required; the crash is triggered purely by the attacker sending the crafted packet.
Attack complexityDetail
Exploit is reliable and condition-free; any decodable E2AP PDU with a message type outside the 9-entry whitelist is sufficient to trigger the abort.

Blast Radius

Crashes the iApp process via SIGABRT, taking down the entire near-RT RIC service.
Disconnects all E2 Nodes that maintain sessions through the RIC, dropping active radio coordination.
Disconnects all xApps relying on the RIC, disrupting any real-time RAN intelligence or control loops they provide.
Service remains unavailable until the process is manually or automatically restarted, with no data confidentiality or integrity impact.

How HarborGuard Handles This

Available on HarborGuard: automated detection for CVE-2026-37223 is active across customer environments, flagging any image that includes FlexRIC v2.0.0 as soon as it appears in a scanned registry or pipeline. Because no upstream fix exists, HarborGuard monitors the advisory on every ingest cycle and will trigger patched-image rebuild and, for customers with auto-remediation enabled, a full rebuild plus regression run plus PR against affected workloads the moment an upstream fix is published. In the interim, compensating controls worth considering include network-policy rules that restrict access to port 36422 to trusted E2 Node and xApp source addresses only, egress filtering to limit the blast radius of a crashed RIC process, and feature-flag or deployment-level gating that isolates the iApp component if the platform supports a split-process deployment mode. Customers should review their compliance policy settings in HarborGuard to ensure this HIGH-severity finding is routed to the appropriate team for tracking.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified