CVE-2026-37226: FlexRIC v2
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the iApp process (port 36422) by sending a subscription request with an arbitrary global_e2_node_id.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A NULL pointer dereference in FlexRIC v2.0.0 allows a remote unauthenticated attacker to crash the iApp process. The vulnerability is reachable over the network on port 36422 with no authentication required, by sending a crafted E42_RIC_SUBSCRIPTION_REQUEST message referencing a non-existent E2 Node. Successful exploitation terminates the iApp process, causing a full denial of service for the affected O-RAN near-real-time RIC component. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.
HarborGuard Coverage
Detection of CVE-2026-37226 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle FlexRIC v2.0.0.
AvailableTriage is available using the CVSS v3.1 base score of 7.5 (HIGH), weighted against each customer organization's compliance policy to prioritize alerts and route them to the appropriate team inbox.
AvailableNo fix version has been published upstream for this vulnerability. HarborGuard re-evaluates the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the iApp service over the network; the vulnerable endpoint listens on TCP port 36422 and is exposed to any network-reachable client.
- AuthenticationNot required
No credentials or session are needed; the malicious subscription request can be sent by any unauthenticated client.
- Victim interactionNot required
No user or operator action is required; the attacker sends the crafted packet directly and the crash occurs automatically.
- Attack complexityDetail
Exploit is reliable and condition-free; crafting an E42_RIC_SUBSCRIPTION_REQUEST with an arbitrary global_e2_node_id value is sufficient to trigger the NULL dereference on every attempt.
Blast Radius
- Crashes the iApp process via SIGABRT (Debug builds) or SIGSEGV (Release builds), immediately terminating the near-real-time RIC component.
- Drops all active E2 Node subscriptions managed by the iApp, disrupting RAN control-loop functions that depend on those subscriptions.
- Causes a sustained denial of service as long as the attacker continues sending crafted messages after each restart.
How HarborGuard Handles This
Available on HarborGuard: the CVE is matched against all images containing FlexRIC v2.0.0 and flagged at HIGH severity as soon as the advisory is ingested. Because no upstream fix exists, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment an upstream fix is published. In the interim, customers are encouraged to apply compensating controls such as network-policy rules that restrict access to port 36422 to trusted E2 Node IP ranges only, egress filtering to limit lateral reachability of the iApp process, and where architecturally feasible, placing the E42 interface behind a VPN or mTLS gateway to eliminate unauthenticated access. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically once a fix version is available upstream.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H