CVE-2026-37232 Overview
CVE-2026-37232 is a divide-by-zero vulnerability [CWE-369] in OpenAirInterface5G 2.4.0 (nr-softmodem). The flaw resides in the E2SM-KPM RAN Function's Physical Resource Block (PRB) utilization metric calculation. Functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c divide by the difference of two consecutive total_prb_aggregate samples without zero checks. A remote attacker can trigger a SIGFPE that crashes the entire 5G base station process. No authentication is required, and the attack vector is the network-facing FlexRIC iApp interface.
Critical Impact
Unauthenticated remote attackers can crash the nr-softmodem process, causing complete 5G cell service interruption for all connected User Equipment (UE).
Affected Products
- OpenAirInterface5G 2.4.0 (nr-softmodem)
- OpenAirInterface E2 Agent component
- Deployments exposing FlexRIC iApp on port 36422/SCTP
Discovery Timeline
- 2026-06-01 - CVE-2026-37232 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-37232
Vulnerability Analysis
The vulnerability is a classic divide-by-zero defect in the E2 Service Model for Key Performance Measurement (E2SM-KPM) RAN Function. The affected code computes PRB utilization as a percentage between two consecutive sampling intervals. Specifically, lines 182 and 197 of ran_func_kpm_subs.c perform arithmetic that uses the difference between two total_prb_aggregate samples as a divisor.
When consecutive samples return identical values, that difference evaluates to zero. The CPU raises SIGFPE (floating-point exception), terminating the nr-softmodem process. Because nr-softmodem hosts the entire gNodeB stack, the crash terminates 5G radio service for every attached UE in the cell.
An attacker triggers the condition by flooding the E2 Agent with E42_RIC_SUBSCRIPTION_REQUEST messages through the FlexRIC iApp listener on SCTP port 36422. The high request rate causes the agent to emit KPM Indication reports faster than PRB counters advance, producing identical consecutive aggregate values.
Root Cause
The root cause is missing input validation on a denominator before division. The developers assumed total_prb_aggregate values would always increase between sampling intervals. The code does not validate that assumption, violating safe arithmetic practice for any externally influenced operand.
Attack Vector
The attack is fully remote and unauthenticated. A malicious xApp connects to the FlexRIC iApp on SCTP port 36422 and submits a high volume of E42 RIC subscription requests. The attacker controls the indication report frequency, forcing the divisor to zero and crashing the base station. See the GitHub Security Advisory CVE-2026-37232 for the technical write-up.
Detection Methods for CVE-2026-37232
Indicators of Compromise
- Unexpected termination of the nr-softmodem process with exit signal SIGFPE (signal 8) recorded in system logs or core dumps.
- High-frequency inbound SCTP connections to port 36422 from unauthorized xApp endpoints.
- Bursts of E42_RIC_SUBSCRIPTION_REQUEST messages preceding gNodeB outage events.
- Sudden loss of radio service for all UEs attached to a cell without a corresponding scheduled maintenance event.
Detection Strategies
- Monitor process supervisors and systemd journals for nr-softmodem crash loops correlated with E2 traffic spikes.
- Inspect E2AP/E2SM-KPM message rates per xApp identity and alert on subscription request rates that exceed operational baselines.
- Deploy network intrusion detection signatures for malformed or high-volume SCTP traffic on port 36422.
Monitoring Recommendations
- Forward gNodeB process telemetry, core dump metadata, and SCTP flow logs to a central analytics platform for correlation.
- Track KPM indication report cadence and flag intervals where consecutive PRB aggregate values are identical.
- Alert when xApp subscription churn exceeds normal RIC orchestration patterns.
How to Mitigate CVE-2026-37232
Immediate Actions Required
- Restrict network reachability to SCTP port 36422 so that only trusted Near-RT RIC and xApp components can connect to the FlexRIC iApp.
- Apply allowlisting and mutual authentication on the E2 interface where supported by the deployment.
- Enforce rate limiting on E42_RIC_SUBSCRIPTION_REQUEST traffic at the network boundary.
- Monitor the OpenAirInterface project repository for an upstream patch and stage upgrades in lab environments before production rollout.
Patch Information
At the time of publication, no fixed version is referenced in the NVD entry. Track the OpenAirInterface GitLab repository and the GitHub Security Advisory CVE-2026-37232 for updates. A correct fix must validate that the denominator is non-zero before performing the division in fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl().
Workarounds
- Disable the E2SM-KPM RAN function on production gNodeBs until a patched build is available.
- Place the FlexRIC iApp behind a dedicated management VLAN unreachable from xApp tenants.
- Deploy a process supervisor that restarts nr-softmodem on SIGFPE to minimize outage duration while a patch is pending.
- Maintain offline radio failover capacity to limit user impact if the gNodeB crashes.
# Example: restrict SCTP/36422 to a trusted Near-RT RIC subnet using nftables
nft add table inet oai_filter
nft add chain inet oai_filter input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet oai_filter input ip saddr 10.10.20.0/24 sctp dport 36422 accept
nft add rule inet oai_filter input sctp dport 36422 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
