How is CVE-2026-37230 exploited?

Network reachability (required): The attacker must reach the near-RT RIC service over the network; the vulnerable endpoint listens on port 36421 and is exposed to any network-reachable host. Authentication (not-required): No credentials or session token are needed; the malicious RIC_INDICATION message can be sent by any unauthenticated party. Victim interaction (not-required): No user or operator action is required; the crash is triggered entirely by the attacker-controlled network message. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or special environmental factors required.

What is the impact of CVE-2026-37230?

Crashes the near-RT RIC process, taking the RAN Intelligent Controller offline and interrupting all RAN function management it handles. In Debug builds the process terminates via SIGABRT (failed assert); in Release builds it terminates via SIGSEGV (NULL pointer dereference). Both outcomes are an immediate, hard process crash. Any workloads or control-plane operations depending on the near-RT RIC for RAN function coordination lose service for the duration of the outage.

Back to search

HIGHCVE-2026-37230Published 2026-06-01Modified 2026-06-02CNA mitre

CVE-2026-37230: FlexRIC v2

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a NULL pointer dereference (crash) vulnerability in FlexRIC v2.0.0, specifically in the near-RT RAN Intelligent Controller (RIC) component. The flaw is reachable over the network without any authentication by sending a crafted RIC_INDICATION message containing an unregistered ran_func_id value. Successful exploitation crashes the near-RT RIC process, causing a full denial of service. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-37230 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FlexRIC v2.0.0.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.5 HIGH (CVSS v3.1) and weighting it against each environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is published upstream. In the meantime, compensating controls such as network-policy rules restricting access to port 36421 can be flagged and tracked through HarborGuard's policy engine.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the near-RT RIC service over the network; the vulnerable endpoint listens on port 36421 and is exposed to any network-reachable host.
AuthenticationNot required
No credentials or session token are needed; the malicious RIC_INDICATION message can be sent by any unauthenticated party.
Victim interactionNot required
No user or operator action is required; the crash is triggered entirely by the attacker-controlled network message.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or special environmental factors required.

Blast Radius

Crashes the near-RT RIC process, taking the RAN Intelligent Controller offline and interrupting all RAN function management it handles.
In Debug builds the process terminates via SIGABRT (failed assert); in Release builds it terminates via SIGSEGV (NULL pointer dereference). Both outcomes are an immediate, hard process crash.
Any workloads or control-plane operations depending on the near-RT RIC for RAN function coordination lose service for the duration of the outage.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-37230 at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment FlexRIC publishes a corrected release. While waiting for an upstream fix, customers can use HarborGuard's policy engine to flag images containing FlexRIC v2.0.0 and apply compensating controls, such as network-policy rules that restrict inbound access to port 36421 to trusted E2 node sources only, reducing the attack surface without requiring a code change. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will become available as soon as a fix version is published upstream.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified