How is CVE-2026-37225 exploited?

Network reachability (required): The attacker must reach the iApp service over the network; the vulnerable endpoint listens on port 36422 and is exposed to any network-accessible client. Authentication (not-required): No credentials or session token are needed; the malformed subscription request can be sent by any unauthenticated client. Victim interaction (not-required): The crash is triggered entirely by the attacker sending a single crafted message; no action by a legitimate user is required. Attack complexity (info): Exploit reliability is high and condition-free; the attacker only needs to send a well-formed E42 message with the ricEventTriggerDefinition field left empty, with no race conditions or memory-layout dependencies.

What is the impact of CVE-2026-37225?

Crashes the iApp process with SIGABRT, taking down the near-RT RIC control plane for all connected E2 nodes until the process is restarted. Disrupts active RAN Intelligent Controller subscriptions, interrupting any xApps or management functions that depend on E2 event reporting. Repeated sends allow an attacker to keep the iApp unavailable indefinitely, effectively denying RIC service to the entire deployment.

Back to search

HIGHCVE-2026-37225Published 2026-06-01Modified 2026-06-01CNA mitre

CVE-2026-37225: FlexRIC v2

FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in FlexRIC v2.0.0, an open-source near-RT RAN Intelligent Controller. An unauthenticated attacker reachable over the network can send a crafted E42_RIC_SUBSCRIPTION_REQUEST message with an empty ricEventTriggerDefinition field, triggering a cross-layer validation mismatch that causes the iApp process to crash via SIGABRT on port 36422. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-37225 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, including custom-built images that bundle FlexRIC v2.0.0.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.5 HIGH using its CVSS v3.1 vector, weighting findings against per-environment compliance policies, and routing alerts to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard policy rules to flag or block affected images from advancing through their pipelines.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the iApp service over the network; the vulnerable endpoint listens on port 36422 and is exposed to any network-accessible client.
AuthenticationNot required
No credentials or session token are needed; the malformed subscription request can be sent by any unauthenticated client.
Victim interactionNot required
The crash is triggered entirely by the attacker sending a single crafted message; no action by a legitimate user is required.
Attack complexityDetail
Exploit reliability is high and condition-free; the attacker only needs to send a well-formed E42 message with the ricEventTriggerDefinition field left empty, with no race conditions or memory-layout dependencies.

Blast Radius

Crashes the iApp process with SIGABRT, taking down the near-RT RIC control plane for all connected E2 nodes until the process is restarted.
Disrupts active RAN Intelligent Controller subscriptions, interrupting any xApps or management functions that depend on E2 event reporting.
Repeated sends allow an attacker to keep the iApp unavailable indefinitely, effectively denying RIC service to the entire deployment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-37225 is active across customer registries and CI pipelines, flagging any image that includes FlexRIC v2.0.0 at HIGH severity with the full CVSS 7.5 context. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published; for customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While the fix is pending, recommended compensating controls include applying network policy to restrict access to port 36422 to trusted E2 node addresses only, enforcing egress filtering to limit lateral blast radius if the iApp is compromised, and using HarborGuard pipeline gates to block promotion of images containing the affected version into production environments.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified