CVE-2026-37226
Published: 01 June 2026
Summary
CVE-2026-37226 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Mosaic5G Flexric. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
No EU or UK CSIRT advisories indexed for this CVE.
Vulnerability details
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). A remote unauthenticated attacker can crash…
more
the iApp process (port 36422) by sending a subscription request with an arbitrary global_e2_node_id.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Null dereference in unauthenticated network handler enables remote application DoS via crafted E2 subscription request.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.