Cyber Resilience

CVE-2026-37232

HighUpdated

Published: 01 June 2026

Published
01 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0039 31.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-37232 is a high-severity Divide By Zero (CWE-369) vulnerability in Openairinterface Openairinterface5G. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive…

more

total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability allows unauthenticated remote attackers to trigger a SIGFPE crash in the nr-softmodem process via crafted E2 subscription requests, directly enabling application/system exploitation for endpoint denial of service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30075Same vendor: Openairinterface
CVE-2026-30078Same vendor: Openairinterface
CVE-2025-65805Same vendor: Openairinterface
CVE-2026-25799Shared CWE-369
CVE-2026-31884Shared CWE-369
CVE-2026-30077Same vendor: Openairinterface
CVE-2026-35215Shared CWE-369
CVE-2025-66786Same vendor: Openairinterface
CVE-2026-33593Shared CWE-369
CVE-2024-8063Shared CWE-369

Affected Assets

openairinterface
openairinterface5g
2.4.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References