CVE-2026-37227

HIGH NVD

CVSS Score 7.5

Severity HIGH

Published Jun 01, 2026

Vendor unknown

Description

FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.

References

https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37227.md
https://gitlab.eurecom.fr/mosaic5g/flexric