Mosaic5g

Flexric

8 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2026-37226

Exploit
  • EPSS 0.64%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 03.06.2026 17:16:40

FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). ...

7.5

CVE-2026-37228

Exploit
  • EPSS 0.64%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 03.06.2026 17:16:35

FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can s...

7.5

CVE-2026-37229

Exploit
  • EPSS 0.62%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 03.06.2026 17:16:30

FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or i...

7.5

CVE-2026-37230

Exploit
  • EPSS 0.64%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 03.06.2026 17:16:22

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds...

7.5

CVE-2026-37231

Exploit
  • EPSS 0.49%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 03.06.2026 17:16:15

FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields. After 65,530+ E42_SETUP_REQUESTs, the 16-bit counter wraps around and produces duplicate xapp_ids. The iApp (port 36422) crashes when attem...

7.5

CVE-2026-37233

Exploit
  • EPSS 0.45%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 03.06.2026 17:16:08

FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp...

7.5

CVE-2026-37235

Exploit
  • EPSS 0.57%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 03.06.2026 17:15:58

FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker ...

8.2

CVE-2026-37234

Exploit
  • EPSS 0.35%
  • Veröffentlicht 01.06.2026 00:00:00
  • Zuletzt bearbeitet 05.06.2026 20:42:19

FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs. On disconnect, only the first registered xapp_id's resources are cleaned up; subsequent xapp_ids and their subscriptions remain as stale ...