How is CVE-2026-37229 exploited?

Network reachability (required): The attacker must reach the SCTP service over the network, specifically port 36421 (near-RT RIC) or port 36422 (iApp), to deliver the malformed payload. Authentication (not-required): No credentials or session token of any kind are needed; the assertion is hit before any authentication check runs. Victim interaction (not-required): No user action is required; the crash is triggered purely by sending a crafted packet to the listening service. Attack complexity (info): Exploitation is reliable and condition-free: any non-PER byte sequence, including a single 0x00 byte, is sufficient to trigger the assertion.

What is the impact of CVE-2026-37229?

Crashes the FlexRIC near-RT RIC or iApp process immediately via SIGABRT, taking the RAN control plane offline. All three supported E2AP protocol versions (v1.01, v2.03, v3.01) are affected, so no supported deployment is exempt. Service disruption is instantaneous and repeatable: an attacker can keep the process down by retransmitting the malformed packet after each restart. No stored data is read or modified; impact is limited to availability of the FlexRIC control process.

Back to search

HIGHCVE-2026-37229Published 2026-06-01Modified 2026-06-02CNA mitre

CVE-2026-37229: FlexRIC v2

FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reachable-assertion crash (denial of service) affects FlexRIC v2.0.0, the open-source near-RT RAN Intelligent Controller. A remote, unauthenticated attacker can send any malformed byte sequence over SCTP to port 36421 or 36422, triggering a SIGABRT before any protocol-level validation occurs and immediately terminating the process. Successful exploitation causes a full service crash with no confidentiality or integrity impact. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle FlexRIC v2.0.0 binaries. Any image in a connected registry or CI pipeline that carries the affected version is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH (v3.1) and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the team or inbox configured for high-severity network-reachable findings in each customer org.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a fix. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once that fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SCTP service over the network, specifically port 36421 (near-RT RIC) or port 36422 (iApp), to deliver the malformed payload.
AuthenticationNot required
No credentials or session token of any kind are needed; the assertion is hit before any authentication check runs.
Victim interactionNot required
No user action is required; the crash is triggered purely by sending a crafted packet to the listening service.
Attack complexityDetail
Exploitation is reliable and condition-free: any non-PER byte sequence, including a single 0x00 byte, is sufficient to trigger the assertion.

Blast Radius

Crashes the FlexRIC near-RT RIC or iApp process immediately via SIGABRT, taking the RAN control plane offline.
All three supported E2AP protocol versions (v1.01, v2.03, v3.01) are affected, so no supported deployment is exempt.
Service disruption is instantaneous and repeatable: an attacker can keep the process down by retransmitting the malformed packet after each restart.
No stored data is read or modified; impact is limited to availability of the FlexRIC control process.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, HarborGuard monitors the FlexRIC advisory on every ingest cycle and will surface a patched-image rebuild the moment the project publishes a remediated release. For customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads without manual steps. In the interim, compensating controls worth applying include a network policy that restricts SCTP access to ports 36421 and 36422 to known E2 node IP ranges, egress filtering to prevent the RIC process from making unintended outbound connections, and if operationally feasible, placing the RIC behind a SCTP-aware gateway or load balancer that can drop non-PER frames before they reach the process. Where compliance policy permits runtime enforcement, a seccomp or AppArmor profile that converts SIGABRT into a controlled restart rather than a silent outage can reduce mean-time-to-recovery while the upstream patch is pending.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified