CVE-2026-37224NVD

Description

FlexRIC v2.0.0 crashes when receiving a duplicate E2_SETUP_REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2_SETUP_REQUESTs with the same E2 node configuration, triggering SIGABRT.

Severity Level

HIGH (7.5)

Published Date

01/06/2026

Last Modified

01/06/2026

Exploitation Status

????

References

https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37224.md
https://gitlab.eurecom.fr/mosaic5g/flexric