Cyber Resilience

CVE-2026-37223

High

Published: 01 June 2026

Published
01 June 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0044 34.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37223 is a high-severity Reachable Assertion (CWE-617) vulnerability in Eurecom (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Stop (T1489); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher. The dispatcher validates incoming E2AP messages against a 9-entry whitelist using assert(). A remote unauthenticated attacker can send any decodable E2AP PDU with a message type not in the…

more

whitelist to crash the iApp process (port 36422) via SIGABRT. Since iApp and the near-RT RIC share one process, this terminates the entire RIC service and disconnects all E2 Nodes and xApps.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Reachable assert() on unauthenticated E2AP input directly enables remote crash of the RIC process (service stop) via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37225Shared CWE-617
CVE-2026-41485Shared CWE-617
CVE-2023-37021Shared CWE-617
CVE-2023-37029Shared CWE-617
CVE-2026-37220Shared CWE-617
CVE-2026-37222Shared CWE-617
CVE-2026-23555Shared CWE-617
CVE-2026-31739Shared CWE-617
CVE-2023-37018Shared CWE-617
CVE-2023-37017Shared CWE-617

Affected Assets

Eurecom
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References