CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:46 p.m.•10 views

CVE-2026-37225

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the...

7.5CVSS5.5AI score0.00415EPSS

RedhatCVE•added 2026/06/05 7:45 p.m.•6 views

CVE-2026-37224

FlexRIC v2.0.0 crashes when receiving a duplicate E2SETUPREQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process port 36421 by sending two E2SETUPREQUESTs with t...

7.5CVSS5.5AI score0.00428EPSS

RedhatCVE•added 2026/06/05 7:45 p.m.•6 views

CVE-2026-37222

FlexRIC v2.0.0 uses hardcoded assertions to validate Information Element IE counts in decoded E2AP messages. A remote unauthenticated attacker can send a valid E2AP PDU containing an unexpected number of IEs e.g., an E2setupRequest with extra optional fields to crash the near-RT RIC port 36421 or...

7.5CVSS5.6AI score0.00428EPSS

RedhatCVE•added 2026/06/05 7:45 p.m.•9 views

CVE-2026-37220

FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2SETUPREQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert. A remote unauthenticated attacker can crash the near-RT RIC port 36421...

7.5CVSS5.5AI score0.00347EPSS

RedhatCVE•added 2026/06/02 10:2 p.m.•13 views

CVE-2026-37235

FlexRIC v2.0.0 trusts the xappid field from E42 message payloads without binding it to the sender's SCTP association. The validation function validxappid only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xappid ...

7.5CVSS5.8AI score0.00395EPSS

RedhatCVE•added 2026/06/02 4:1 p.m.•12 views

CVE-2026-37229

FlexRIC v2.0.0 contains a reachable assertion in e2apcreatepdu triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence e.g., a single 0x00 byte over SCTP to the near-RT RIC port 36421 or iApp port 36422 to crash the process via SIGABRT. The...

7.5CVSS5.8AI score0.00432EPSS

RedhatCVE•added 2026/06/02 4:1 p.m.•13 views

CVE-2026-37226

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert in Debug builds SIGABRT and dereferenced in Release builds SIGSEGV. A remote unauthenticated attacker can crash the iApp...

7.5CVSS6AI score0.00445EPSS

RedhatCVE•added 2026/06/02 4:1 p.m.•12 views

CVE-2026-37230

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RICINDICATION message with a ranfuncid that does not exist in its registry. The lookup returns NULL, triggering assert in Debug builds SIGABRT or NULL pointer dereference in Release builds SIGSEGV. A remote unauthenticated attacker can crash...

7.5CVSS5.9AI score0.00445EPSS

RedhatCVE•added 2026/06/02 4:1 p.m.•11 views

CVE-2026-37233

FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eqxappricgenid in src/ric/iApp/xappricid.c compares m0-xappid against itself m0-xappid instead of the other argument m1-xappid, effectively ignoring the xApp identity dimension. A malicio...

7.5CVSS5.8AI score0.00397EPSS

NVD•added 2026/06/01 9:16 p.m.•13 views

CVE-2026-37234

FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xappids by sending multiple E42SETUPREQUESTs. On disconnect, only the first registered xappid's resources are cleaned up; subsequent xappids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak...

8.2CVSS0.00301EPSS

NVD•added 2026/06/01 7:16 p.m.•11 views

CVE-2026-37226

7.5CVSS0.00445EPSS

NVD•added 2026/06/01 7:16 p.m.•14 views

CVE-2026-37228

FlexRIC v2.0.0 contains a reachable assertion in e2aprecvsctpmsg src/lib/ep/e2apep.c. The function allocates a fixed 32KB receive buffer and enforces assertrc = 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoin...

7.5CVSS0.00445EPSS

NVD•added 2026/06/01 7:16 p.m.•8 views

CVE-2026-37233

7.5CVSS0.00397EPSS

NVD•added 2026/06/01 7:16 p.m.•11 views

CVE-2026-37230

7.5CVSS0.00445EPSS

NVD•added 2026/06/01 7:16 p.m.•12 views

CVE-2026-37229

7.5CVSS0.00432EPSS

NVD•added 2026/06/01 7:16 p.m.•10 views

CVE-2026-37231

FlexRIC v2.0.0 uses a uint16t counter for xappid assignment but stores the value in uint32t message fields. After 65,530+ E42SETUPREQUESTs, the 16-bit counter wraps around and produces duplicate xappids. The iApp port 36422 crashes when attempting to register a duplicate ID in its internal data...

7.5CVSS0.00426EPSS