HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-37233Published Modified CNA mitre

CVE-2026-37233: FlexRIC v2

FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authorization bypass in FlexRIC v2.0.0 allows any authenticated-or-unauthenticated xApp connected to the iApp interface to delete subscriptions belonging to other xApps. The flaw is reachable over the network on port 36422 with no authentication required and no user interaction needed, derived from the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation breaks multi-tenant xApp isolation and causes a denial of service by forcibly deleting another xApp's active RIC subscriptions. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-37233 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, including custom-built images that bundle FlexRIC v2.0.0. Scanning covers both registry images and images injected directly into CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it further against each customer organization's per-environment compliance policy before routing findings to the appropriate team inbox. This ensures that deployments where multi-xApp RIC sharing is in use can be prioritized over low-risk environments automatically.

Available
Patch

Because no upstream fix version has been published for CVE-2026-37233, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable iApp interface listens on port 36422 and is reachable over the network, so an attacker must be able to send TCP traffic to that port.

  • AuthenticationNot required

    The CVSS vector specifies PR:N, meaning no credentials or account privileges are needed to send a malicious E42_RIC_SUBSCRIPTION_DELETE_REQUEST.

  • Victim interactionNot required

    The CVSS vector specifies UI:N, so the attacker does not need any action from an operator or user to trigger the bug.

  • Attack complexityDetail

    The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions beyond network access to port 36422.

Blast Radius

  • A malicious xApp deletes active RIC subscriptions belonging to any other xApp sharing the same iApp instance, immediately severing their data flows.
  • Targeted xApps lose all subscription state they had established, forcing them into a degraded or non-functional operating mode until subscriptions are manually re-established.
  • In deployments with multiple tenants or operators sharing a single RIC, one compromised or malicious xApp can disrupt the entire multi-xApp environment without elevated privileges.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-37233 is active across all scanning environments and will match any image that bundles FlexRIC v2.0.0 as soon as the image enters a customer registry or pipeline. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published; for customers with auto-remediation enabled, this triggers a full rebuild, regression test run, and PR opened against affected workloads without manual intervention. In the meantime, compensating controls worth considering include network-policy isolation that restricts port 36422 access to explicitly trusted xApp identities only, egress filtering at the pod or container level to prevent untrusted xApps from reaching the iApp, and where operationally feasible, running each tenant's xApps against separate RIC instances to restore isolation at the infrastructure layer rather than relying on the broken software-level check.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References