HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-37228Published Modified CNA mitre

CVE-2026-37228: FlexRIC v2

FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A reachable-assertion denial-of-service vulnerability exists in FlexRIC v2.0.0, specifically in the e2ap_recv_sctp_msg() function in src/lib/ep/e2ap_ep.c. The function allocates a fixed 32KB receive buffer and crashes via SIGABRT when an SCTP message with a payload of 32,768 bytes or more is received; no authentication or valid protocol message is required, and the service is exposed directly over the network. Successful exploitation crashes the near-RT RIC, iApp, E2 Agent, or xApp process, causing a complete loss of service availability. No upstream fix version has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment one becomes available.

HarborGuard Coverage

Detection

Detection of CVE-2026-37228 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FlexRIC v2.0.0 components. Any image found to carry the affected binary or library is flagged in the customer's registry and pipeline scan results.

Available
Triage

Triage is available with the recorded CVSS v3.1 score of 7.5 (HIGH), surfaced alongside per-environment compliance-policy weighting so teams can calibrate urgency against their own risk thresholds. Routing rules within each customer org can direct the finding to the appropriate inbox, such as a platform team owning RAN or O-RAN infrastructure.

Available
Patch

Because no upstream fix version has been published for CVE-2026-37228, no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers publish a fix.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SCTP endpoints (ports 36421 and 36422) over the network; any host with network access to those ports can trigger the crash.

  • AuthenticationNot required

    No credentials or session are needed; an unauthenticated remote sender can deliver the oversized SCTP message directly.

  • Victim interactionNot required

    No user or operator action is required; the vulnerable code path is triggered automatically upon receipt of the malformed message.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: sending a single SCTP message with a payload of 32,768 bytes or more is sufficient, with no timing dependency or environmental setup required.

Blast Radius

  • Crashes the targeted FlexRIC process (near-RT RIC, iApp, E2 Agent, or xApp) via SIGABRT, taking the process fully offline.
  • Disrupts real-time RAN intelligence and control-plane functions for the duration of the outage, as all four SCTP endpoint types share the vulnerable code path.
  • In Release builds compiled with NDEBUG, the stripped assertion produces a signed-to-unsigned integer overflow leading to an out-of-bounds read of process memory.
  • An attacker can repeat the single-packet trigger to prevent recovery, sustaining a denial-of-service condition indefinitely.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-37228 is active and will match any image that includes the affected FlexRIC v2.0.0 code, including internally built O-RAN images. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once the maintainers publish a fix; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, the most effective compensating control is strict network-policy isolation: restrict inbound SCTP access on ports 36421 and 36422 to known, trusted E2 nodes and xApp peers using Kubernetes NetworkPolicy or an equivalent firewall rule, preventing unauthenticated hosts from reaching the vulnerable endpoints at all. Egress filtering to limit the blast radius of a compromised adjacent node is also advisable. Customers running Release (NDEBUG) builds should treat the out-of-bounds read risk as an additional severity factor when deciding how urgently to apply isolation controls.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References