Cyber Resilience

CVE-2026-37230

HighPublic PoC

Published: 01 June 2026

Published
01 June 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0044 35.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37230 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Mosaic5G Flexric. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A…

more

remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL dereference in RIC message handler directly enables remote application crash via crafted input, matching Endpoint DoS via exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37226Same product: Mosaic5G Flexric
CVE-2026-37231Same product: Mosaic5G Flexric
CVE-2026-37228Same product: Mosaic5G Flexric
CVE-2026-37234Same product: Mosaic5G Flexric
CVE-2026-37229Same product: Mosaic5G Flexric
CVE-2026-37235Same product: Mosaic5G Flexric
CVE-2026-37233Same product: Mosaic5G Flexric
CVE-2025-63648Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2026-26828Shared CWE-476

Affected Assets

mosaic5g
flexric
2.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References