How is CVE-2026-37224 exploited?

Network reachability (required): The attacker must reach port 36421 over the network; the iApp process listens for E2 interface connections and is exposed to any host that can route to it. Authentication (not-required): No credentials or session token are needed; the E2_SETUP_REQUEST is processed before any authentication step is enforced. Victim interaction (not-required): The crash is triggered entirely by the attacker sending two crafted messages; no action from an operator or user is required. Attack complexity (info): The exploit is reliable and condition-free: sending two E2_SETUP_REQUEST messages with identical node configuration is sufficient to trigger SIGABRT on every attempt.

What is the impact of CVE-2026-37224?

Crashes the FlexRIC iApp process, taking down the near-real-time RAN controller and severing control-plane communication with all connected E2 Nodes. Disrupts any xApp or iApp workload depending on the iApp registry, halting policy enforcement and RAN configuration updates until the process is manually restarted. Enables a persistent denial-of-service loop: the attacker can repeatedly trigger the crash each time the process is restarted, as no rate-limiting or graceful rejection exists in the affected code path.

Back to search

HIGHCVE-2026-37224Published 2026-06-01Modified 2026-06-01CNA mitre

CVE-2026-37224: FlexRIC v2

FlexRIC v2.0.0 crashes when receiving a duplicate E2_SETUP_REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2_SETUP_REQUESTs with the same E2 node configuration, triggering SIGABRT.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated denial-of-service vulnerability affects FlexRIC v2.0.0, an open RAN controller component. A remote attacker with network access to port 36421 can crash the iApp process by sending two E2_SETUP_REQUEST messages that share the same E2 node configuration, triggering an abort signal via a misused assert() call in the iApp registry. Successful exploitation terminates the iApp process, disrupting the O-RAN near-real-time control plane. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from FlexRIC base layers.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH using the published v3.1 vector and weights it against each customer environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach port 36421 over the network; the iApp process listens for E2 interface connections and is exposed to any host that can route to it.
AuthenticationNot required
No credentials or session token are needed; the E2_SETUP_REQUEST is processed before any authentication step is enforced.
Victim interactionNot required
The crash is triggered entirely by the attacker sending two crafted messages; no action from an operator or user is required.
Attack complexityDetail
The exploit is reliable and condition-free: sending two E2_SETUP_REQUEST messages with identical node configuration is sufficient to trigger SIGABRT on every attempt.

Blast Radius

Crashes the FlexRIC iApp process, taking down the near-real-time RAN controller and severing control-plane communication with all connected E2 Nodes.
Disrupts any xApp or iApp workload depending on the iApp registry, halting policy enforcement and RAN configuration updates until the process is manually restarted.
Enables a persistent denial-of-service loop: the attacker can repeatedly trigger the crash each time the process is restarted, as no rate-limiting or graceful rejection exists in the affected code path.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-37224, the platform monitors the advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment OpenAirInterface or the responsible maintainer publishes a corrected release. In the interim, customers can reduce exposure by applying a Kubernetes NetworkPolicy or host firewall rule that restricts inbound access to TCP port 36421 to trusted E2 Node IP ranges only, preventing unauthenticated actors from reaching the vulnerable endpoint. Egress filtering and service-mesh mTLS enforcement at the E2 interface boundary are additional compensating controls worth evaluating. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is available, with no manual steps required.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified