How is CVE-2026-37227 exploited?

Network reachability (required): The attacker must reach the near-RT RIC service over the network; port 36421 must be accessible from the attacker's location. Authentication (not-required): No credentials or session token are needed; the malicious E2AP PDU can be sent by any unauthenticated network peer. Victim interaction (not-required): No user action is involved; the crash is triggered purely by the incoming network message hitting the vulnerable handler. Attack complexity (info): Exploit reliability is high and condition-free: any well-formed E2AP PDU of a whitelisted-but-unimplemented type is sufficient to trigger the assertion.

What is the impact of CVE-2026-37227?

Crashes the near-RT RIC process via SIGABRT, immediately terminating the control-plane component responsible for managing RAN functions. Disrupts all active E2 interface sessions between the RIC and connected E2 nodes, dropping real-time RAN control loops until the process is restarted. No confidentiality or integrity impact is present; the sole effect is a hard process termination causing a denial of service.

Back to search

HIGHCVE-2026-37227Published 2026-06-01Modified 2026-06-01CNA mitre

CVE-2026-37227: FlexRIC v2

FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reachable assertion vulnerability in FlexRIC v2.0.0, specifically in the near-RT RAN Intelligent Controller (RIC) component of the O-RAN software stack. The flaw is reachable over the network with no authentication required: an attacker sends a valid-but-unimplemented E2AP protocol message (such as E2nodeConfigurationUpdate) to port 36421, which passes whitelist validation and then hits an unconditional assert(0) call in the stub handler, killing the process with SIGABRT. Successful exploitation crashes the near-RT RIC process, taking down a critical control-plane component of the RAN. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-37227 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package FlexRIC v2.0.0. Any image carrying the affected binary is flagged regardless of whether it originates from a public registry or an internal build pipeline.

Available

Triage

Triage is available using the recorded CVSS v3.1 score of 7.5 (HIGH), with per-environment compliance policy weighting applied to prioritize findings according to each customer organization's risk tolerances. Routed findings are delivered to the appropriate team inbox inside each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published for CVE-2026-37227, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the near-RT RIC service over the network; port 36421 must be accessible from the attacker's location.
AuthenticationNot required
No credentials or session token are needed; the malicious E2AP PDU can be sent by any unauthenticated network peer.
Victim interactionNot required
No user action is involved; the crash is triggered purely by the incoming network message hitting the vulnerable handler.
Attack complexityDetail
Exploit reliability is high and condition-free: any well-formed E2AP PDU of a whitelisted-but-unimplemented type is sufficient to trigger the assertion.

Blast Radius

Crashes the near-RT RIC process via SIGABRT, immediately terminating the control-plane component responsible for managing RAN functions.
Disrupts all active E2 interface sessions between the RIC and connected E2 nodes, dropping real-time RAN control loops until the process is restarted.
No confidentiality or integrity impact is present; the sole effect is a hard process termination causing a denial of service.

How HarborGuard Handles This

Available on HarborGuard: images containing FlexRIC v2.0.0 are matched against this CVE on every scan cycle. Because no upstream patch exists, HarborGuard monitors the advisory continuously and will trigger patched-image rebuilds and (for customers with auto-remediation enabled) a full rebuild, regression run, and PR against affected workloads the moment a fix version is published. In the interim, compensating controls worth considering include network-policy isolation that restricts access to port 36421 to trusted E2 node addresses only, egress and ingress filtering at the Kubernetes NetworkPolicy or firewall layer to limit the blast radius of a crash, and where operationally feasible, wrapping the near-RT RIC process in a supervisor that auto-restarts on SIGABRT to reduce downtime between exploit and recovery. These controls do not eliminate the vulnerability but reduce exploitability and mean time to recovery until the upstream fix is available.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified