Cyber Resilience

CVE-2026-37228

HighPublic PoC

Published: 01 June 2026

Published
01 June 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0044 35.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37228 is a high-severity Reachable Assertion (CWE-617) vulnerability in Mosaic5G Flexric. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >=…

more

32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated SCTP message triggers assertion failure (or integer overflow/OOB read in release builds) to crash the public-facing RIC/E2 endpoints, directly enabling T1190 exploitation of a public-facing app and T1499.004 application exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37229Same product: Mosaic5G Flexric
CVE-2026-37233Same product: Mosaic5G Flexric
CVE-2026-37235Same product: Mosaic5G Flexric
CVE-2026-37231Same product: Mosaic5G Flexric
CVE-2026-37226Same product: Mosaic5G Flexric
CVE-2026-37230Same product: Mosaic5G Flexric
CVE-2026-37234Same product: Mosaic5G Flexric
CVE-2024-24427Shared CWE-617
CVE-2024-24428Shared CWE-617
CVE-2024-24420Shared CWE-617

Affected Assets

mosaic5g
flexric
2.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References