CVE•Published 2026-06-01•Modified 2026-06-03•0 articles on news•5 live references•NVD data

CVE-2026-37228Mosaic5g · Flexric

Vulnerability data via NVD (ingested)

CVSS v3.1

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-617Reachable Assertion

Description

FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read.

Timeline

Published 2026-06-01

Modified 2026-06-03

External references

NVD MITRE Exploit-DB Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-37228

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product + version

product:"Mosaic5g Flexric" version:"2.0.0"

Version-pinned fingerprint from NVD's first vulnerable CPE.

Shodan · banner/body mention

http.html:"Flexric"

HTTP body or banner mentions "Flexric" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-37228