HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-37232Published Modified CNA mitre

CVE-2026-37232: An issue was discovered in OpenAirInterface5G 2

An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required.

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A divide-by-zero crash vulnerability affects the nr-softmodem process in OpenAirInterface5G 2.4.0. An unauthenticated remote attacker can send a flood of E42_RIC_SUBSCRIPTION_REQUEST messages over SCTP to port 36422, causing the E2 Agent to sample PRB utilization fast enough that two consecutive readings are identical, which produces a zero divisor, a SIGFPE signal, and an immediate process crash. Successful exploitation terminates the entire 5G base station process and drops service for every user equipment attached to the affected cell. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-37232 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle OpenAirInterface5G components.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.6 HIGH (v3.1) and weighting it against each environment's compliance policy to determine urgency; findings are routed automatically to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

No upstream fix version has been published for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a fix; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target over the network; the vulnerable SCTP listener on port 36422 is exposed as a network service by the FlexRIC iApp.

  • AuthenticationNot required

    No credentials or session token are needed; the E2 Agent processes subscription requests from any unauthenticated sender.

  • Victim interactionNot required

    The crash is triggered entirely by attacker-controlled network traffic; no operator or user action is required.

  • Attack complexityDetail

    Exploit reliability is high and condition-free; the attacker only needs to send enough subscription requests to drive the sampling frequency up until two consecutive PRB aggregate values collide.

Blast Radius

  • Crashes the nr-softmodem process on the targeted 5G base station, ending all radio processing on that node.
  • Drops active and idle connections for every user equipment attached to the affected cell, resulting in complete loss of 5G service in that cell's coverage area.
  • Because no authentication is required, any host that can route packets to port 36422/SCTP can trigger the crash repeatedly, preventing service recovery through simple restart.
  • Availability of the broader RAN is affected if the crashed gNB is the sole or primary node serving a sector or site.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-37232 is active and capable of flagging any image in a customer registry or pipeline that includes the affected OpenAirInterface5G 2.4.0 nr-softmodem binary. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild opportunity the moment a remediated version is released by the OpenAirInterface5G project. In the interim, customers are encouraged to apply compensating controls: restrict network-policy access to port 36422/SCTP so that only trusted xApp hosts can reach the E2 Agent, apply egress filtering at the FlexRIC iApp boundary to rate-limit or block unauthenticated subscription floods, and consider feature-flag gating or disabling the E2SM-KPM RAN Function if KPM reporting is not operationally required. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically once an upstream fix version is available.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
References