Cyber Resilience

CVE-2026-37222

High

Published: 01 June 2026

Published
01 June 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0043 34.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37222 is a high-severity Reachable Assertion (CWE-617) vulnerability in Eurecom (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

FlexRIC v2.0.0 uses hardcoded assertions to validate Information Element (IE) counts in decoded E2AP messages. A remote unauthenticated attacker can send a valid E2AP PDU containing an unexpected number of IEs (e.g., an E2setupRequest with extra optional fields) to crash…

more

the near-RT RIC (port 36421) or iApp (port 36422) via SIGABRT. The code asserts exact IE counts rather than validating against protocol-specified ranges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated crafted E2AP PDU triggers reachable assertion leading to SIGABRT crash of public-facing RIC/iApp service, directly matching application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37225Shared CWE-617
CVE-2026-41485Shared CWE-617
CVE-2023-37021Shared CWE-617
CVE-2023-37029Shared CWE-617
CVE-2026-37220Shared CWE-617
CVE-2026-23555Shared CWE-617
CVE-2026-31739Shared CWE-617
CVE-2023-37018Shared CWE-617
CVE-2023-37017Shared CWE-617
CVE-2026-22990Shared CWE-617

Affected Assets

Eurecom
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References