HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-37235Published Modified CNA mitre

CVE-2026-37235: FlexRIC v2

FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An ID spoofing vulnerability in FlexRIC v2.0.0 allows a remote unauthenticated attacker to impersonate any registered xApp by supplying an arbitrary xapp_id in E42 message payloads sent to the iApp on port 36422. Because the valid_xapp_id() function only checks whether the value falls within an assigned range and does not bind it to the sender's SCTP association, there is no way to detect the forgery. Successful exploitation causes misrouted responses that crash the victim xApp, the RIC, or the iApp itself through state corruption in the red-black tree data structure. No upstream fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-37235 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI pipelines, including custom-built images that package FlexRIC v2.0.0.

Available
Triage

HarborGuard is capable of scoring this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weighting that score against each environment's compliance policy to determine breach of SLA thresholds; findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. In the interim, customers can apply compensating-control annotations through HarborGuard to flag affected images for manual review and block promotion to production registries.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the iApp service over the network on port 36422; no local access or physical presence is needed.

  • AuthenticationNot required

    No credentials are required; the attacker sends crafted E42 payloads as an unauthenticated sender.

  • Victim interactionNot required

    The vulnerability is triggered entirely by the attacker's own requests; no action from a legitimate user or xApp operator is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker only needs to specify a valid-range xapp_id value, which requires no race condition or environmental tuning.

Blast Radius

  • Crashes the victim xApp by causing responses intended for it to arrive from an unexpected state, corrupting its internal context.
  • Corrupts the red-black tree data structure inside the RIC or iApp, which can bring down the entire RIC platform and disrupt radio network orchestration.
  • Enables repeated denial-of-service against any registered xApp without authentication by cycling through valid xapp_id values.
  • Disrupts all xApps and network functions that depend on the affected RIC for near-real-time control, extending the blast radius beyond the directly targeted xApp.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-37235, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads. While no fix is available, HarborGuard supports compensating controls: customers can use network-policy isolation to restrict access to port 36422 to known SCTP peers, apply image-promotion gates that block FlexRIC v2.0.0 images from reaching production, and configure alert routing so that any deployment of the affected image triggers immediate triage. These controls can be configured per-environment through HarborGuard compliance policies without waiting for an upstream release.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References