How is CVE-2026-37234 exploited?

Network reachability (required): The vulnerable SCTP endpoint is exposed over the network, and an attacker must be able to reach it remotely to send crafted E42_SETUP_REQUEST messages. Authentication (not-required): No credentials or prior account are needed; the attacker interacts with the service anonymously over a raw SCTP connection. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator on the target system. Attack complexity (info): Attack complexity is low: the exploit requires only repeated, well-formed SCTP messages with no race conditions, memory-layout dependencies, or special environmental conditions to satisfy.

What is the impact of CVE-2026-37234?

An attacker leaks persistent subscription state inside the iApp by leaving stale xapp_id entries that should have been removed on disconnect. Repeated exploitation cycles accumulate unreclaimed subscription objects, exhausting server-side memory or file-descriptor limits and degrading availability of the RIC platform. Stale entries can corrupt the RIC subscription table, causing legitimate xApps to receive incorrect state or fail to register cleanly. Integrity of the RAN control plane is weakened because the controller operates on a polluted view of active xApp sessions.

Back to search

HIGHCVE-2026-37234Published 2026-06-01Modified 2026-06-02CNA mitre

CVE-2026-37234: FlexRIC v2

FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs. On disconnect, only the first registered xapp_id's resources are cleaned up; subsequent xapp_ids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak subscription state in the iApp, potentially causing resource exhaustion or state corruption over time.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a resource-management vulnerability in FlexRIC v2.0.0, an open-source RAN Intelligent Controller framework. The flaw is reachable over the network without any authentication: an attacker opens a single SCTP connection and sends multiple E42_SETUP_REQUEST messages to register several xapp_ids, then disconnects. When the connection drops, only the first xapp_id is cleaned up; the rest persist as stale subscription entries, letting an attacker corrupt internal state or exhaust server resources over repeated cycles. No upstream fix has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-37234 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that vendor FlexRIC v2.0.0 as a dependency.

Available

Triage

HarborGuard scores this CVE at 8.2 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to prioritize routing. Triage findings are surfaced to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, HarborGuard surfaces the affected image list so teams can apply compensating controls while the advisory remains open.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable SCTP endpoint is exposed over the network, and an attacker must be able to reach it remotely to send crafted E42_SETUP_REQUEST messages.
AuthenticationNot required
No credentials or prior account are needed; the attacker interacts with the service anonymously over a raw SCTP connection.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator on the target system.
Attack complexityDetail
Attack complexity is low: the exploit requires only repeated, well-formed SCTP messages with no race conditions, memory-layout dependencies, or special environmental conditions to satisfy.

Blast Radius

An attacker leaks persistent subscription state inside the iApp by leaving stale xapp_id entries that should have been removed on disconnect.
Repeated exploitation cycles accumulate unreclaimed subscription objects, exhausting server-side memory or file-descriptor limits and degrading availability of the RIC platform.
Stale entries can corrupt the RIC subscription table, causing legitimate xApps to receive incorrect state or fail to register cleanly.
Integrity of the RAN control plane is weakened because the controller operates on a polluted view of active xApp sessions.

How HarborGuard Handles This

Available on HarborGuard: images containing FlexRIC v2.0.0 are flagged automatically as affected and surfaced in each customer's vulnerability dashboard. Because no upstream patch exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is published; for customers with auto-remediation enabled, that rebuild is followed by a regression-test run and a PR opened against affected workloads. While the advisory remains open, compensating controls that teams can apply immediately include network-policy rules that restrict SCTP port access to trusted xApp source addresses, egress filtering to limit which hosts can initiate E42_SETUP_REQUEST flows, and rate-limiting or connection-count caps on the SCTP listener to bound the impact of repeated connection-and-disconnect cycles.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

Metrics

Get notified