Cyber Resilience

CVE-2026-37220

High

Published: 01 June 2026

Published
01 June 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0035 26.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37220 is a high-severity Reachable Assertion (CWE-617) vulnerability in Eurecom (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2_SETUP_REQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert(). A remote unauthenticated…

more

attacker can crash the near-RT RIC (port 36421) by simply completing an SCTP handshake and immediately disconnecting, without sending any E2AP message.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated SCTP handshake triggers reachable assertion crash (CWE-617) on E2 RIC endpoint, directly enabling application DoS via crafted network traffic.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37225Shared CWE-617
CVE-2026-41485Shared CWE-617
CVE-2023-37021Shared CWE-617
CVE-2023-37029Shared CWE-617
CVE-2026-37222Shared CWE-617
CVE-2026-23555Shared CWE-617
CVE-2026-31739Shared CWE-617
CVE-2023-37018Shared CWE-617
CVE-2023-37017Shared CWE-617
CVE-2026-22990Shared CWE-617

Affected Assets

Eurecom
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References