How is CVE-2026-37231 exploited?

Network reachability (required): The attacker must reach port 36422 on the iApp over the network; any host with a routable path to that port can send E42_SETUP_REQUEST messages. Authentication (not-required): No credentials or session token are needed; the registration endpoint accepts connections from unauthenticated remote clients. Victim interaction (not-required): The attacker sends crafted requests directly to the service with no need for an operator or user to take any action. Attack complexity (info): The exploit is mechanically straightforward and condition-free: the attacker simply opens and repeats connections until the 16-bit counter wraps, which requires volume but no timing precision or special environment state.

What is the impact of CVE-2026-37231?

Crashes the iApp process on port 36422, immediately halting all xApp registration and management operations. Any xApps that depend on the iApp for lifecycle management lose their registration state and become non-functional until the service is manually restarted. Repeated attacks keep the iApp unavailable indefinitely, preventing recovery without network-level controls blocking the attacker.

Back to search

HIGHCVE-2026-37231Published 2026-06-01Modified 2026-06-02CNA mitre

CVE-2026-37231: FlexRIC v2

FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields. After 65,530+ E42_SETUP_REQUESTs, the 16-bit counter wraps around and produces duplicate xapp_ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer wraparound vulnerability in FlexRIC v2.0.0 allows a remote, unauthenticated attacker to crash the iApp service by exhausting the 16-bit xapp_id counter. The service is reachable over the network on port 36422 without any authentication, and after 65,530 or more E42_SETUP_REQUEST connections the counter wraps, producing duplicate xapp_ids that corrupt the internal registration structure. Successful exploitation causes a denial of service, taking down the iApp and any xApp registrations it manages. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-37231 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FlexRIC v2.0.0. Any image flagged as running an affected version surfaces immediately in the dashboard and pipeline scan results.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH (v3.1) and weights that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticket queue configured by the customer org, so the right team sees the finding without manual forwarding.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without any manual steps once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach port 36422 on the iApp over the network; any host with a routable path to that port can send E42_SETUP_REQUEST messages.
AuthenticationNot required
No credentials or session token are needed; the registration endpoint accepts connections from unauthenticated remote clients.
Victim interactionNot required
The attacker sends crafted requests directly to the service with no need for an operator or user to take any action.
Attack complexityDetail
The exploit is mechanically straightforward and condition-free: the attacker simply opens and repeats connections until the 16-bit counter wraps, which requires volume but no timing precision or special environment state.

Blast Radius

Crashes the iApp process on port 36422, immediately halting all xApp registration and management operations.
Any xApps that depend on the iApp for lifecycle management lose their registration state and become non-functional until the service is manually restarted.
Repeated attacks keep the iApp unavailable indefinitely, preventing recovery without network-level controls blocking the attacker.

How HarborGuard Handles This

Available on HarborGuard: scanning capability for CVE-2026-37231 is active now, and any image containing FlexRIC v2.0.0 is flagged on the next pipeline run or registry scan. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once the maintainers ship a fix. In the interim, customers can apply compensating controls through network policy: restrict ingress to port 36422 to known, authorized source CIDRs; apply rate-limiting or connection-count caps at the load balancer or firewall to slow counter exhaustion; and consider feature-flag gating or admission-control policies that prevent untrusted clients from reaching the registration endpoint. Where compliance policy permits, auto-remediation customers will have a rebuild, regression run, and PR opened against affected workloads as soon as a fix version is published upstream.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified