Cyber Resilience

CVE-2026-37225

High

Published: 01 June 2026

Published
01 June 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0042 33.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37225 is a high-severity Reachable Assertion (CWE-617) vulnerability in Eurecom (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash…

more

the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated crash via reachable assertion in public E2 service directly matches application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41485Shared CWE-617
CVE-2023-37021Shared CWE-617
CVE-2023-37029Shared CWE-617
CVE-2026-37220Shared CWE-617
CVE-2026-37222Shared CWE-617
CVE-2026-23555Shared CWE-617
CVE-2026-31739Shared CWE-617
CVE-2023-37018Shared CWE-617
CVE-2023-37017Shared CWE-617
CVE-2026-22990Shared CWE-617

Affected Assets

Eurecom
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References