Discoverer: Geovani Benita, PhD Candidate, Singapore University of Technology and Design (SUTD)
Disclosure Date: 2026-03-30
Vendors Affected: OpenAirInterface (OAI), Eurecom Mosaic5G FlexRIC
Vulnerability Type: CWE-617 – Reachable Assertion
Impact: Denial of Service (DoS)
Attack Type: Remote (via crafted malicious xApp)
These vulnerabilities were discovered using a fuzzer/tool developed as part of PhD research into O-RAN component security. The vendors were notified via email on May 3, 2025.
Product: OpenAirInterface5G gNB/DU simulator implementation – v2.1.0
Component: OAI gNB simulation implementation (gnb-rfsim) used with FlexRIC-based xApps
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
An issue in the OpenAirInterface (OAI) Distributed Unit (DU) implementation v2.1.0 allows a remote attacker to cause a denial of service via an xApp that sends a control message using the MAC_STATS_V0 service model, causing an assertion failure in the OAI DU code. Specifically, the failure occurs in the write_ctrl_mac_sm function in /oai/openair2/E2AP/RAN_FUNCTION/CUSTOMIZED/ran_func_mac.c.
Attack Vector:
An attacker could craft a malicious xApp that sends a specific control message to the OAI DU, triggering an assertion failure.
Vendor Acknowledged: Yes
Reference: https://gitlab.eurecom.fr/oai/openairinterface5g/-/releases
Product: OpenAirInterface5G gNB/DU simulator implementation – v2.1.0
Component: OAI gNB nr-softmodem simulation (DU, CU-UP) using FlexRIC-based xApps
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
A denial-of-service (DoS) vulnerability exists in the O-RAN 2.1.0 Distributed Unit (DU and CU-UP) KPM (Key Performance Measurement) handling code. By mutating the measName field to a random string in a crafted KPM subscription message, an unsupported measurement name bypasses validation and triggers a reachable assertion in ran_func_kpm_subs.c at line 226. This results in a DU crash, disconnection of UEs, and a cascade of network slice failures — CU-CP releases the DU and CU-UP releases the affected UEs.
Attack Vector:
An attacker could craft a malicious xApp that sends a Subscription Request message, triggering an assertion failure.
Vendor Acknowledged: Yes
Reference: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c
Product: OpenAirInterface5G gNB/DU simulator implementation – v2.1.0
Component: OAI gNB nr-softmodem simulation (DU) using FlexRIC-based xApps
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
A denial-of-service (DoS) vulnerability exists in the O-RAN 2.1.0 Distributed Unit (DU) E2AP implementation (FlexRIC-based), where sending a malicious E2 KPM Subscription message with a mutated ricActionType field (e.g., changing from report to insert) triggers a reachable assertion in msg_handler_agent.c at line 136: assert(sr->action->type == RIC_ACT_REPORT && "Only report supported"). This results in a DU crash, disconnection of UEs, and network instability.
Attack Vector:
An attacker could craft a malicious xApp that sends a Subscription Request message, triggering an assertion failure.
Vendor Acknowledged: Yes
References:
- https://gitlab.eurecom.fr/mosaic5g/flexric/-/blob/dev/src/agent/msg_handler_agent.c
- https://gitlab.eurecom.fr/oai/openairinterface5g/-/tree/develop/openair2/E2AP
Product: Eurecom Mosaic5G FlexRIC v2.0.0 / OpenAirInterface5G gNB CU-CP – v2.1.0
Component: FlexRIC-based O-RAN 2.1.0 Radio Control (RC) implementation
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
A denial-of-service (DoS) vulnerability exists in the FlexRIC-based O-RAN 2.1.0 Radio Control (RC) implementation where sending a crafted E2SM-RC Subscription message with a mutated ricEventTriggerDefinition field (e.g., changed to 0x000000) causes the ASN.1 decoder (rc_dec_event_trigger_asn in rc_dec_asn.c:953) to hit an assertion failure. This assertion aborts the RIC/CU-CP, leading to an SCTP shutdown, loss of E1 connectivity to CU-UP, forced UE context releases, and overall service disruption.
Attack Vector:
An attacker could craft a malicious xApp that sends a Subscription Request message, triggering an assertion failure.
Vendor Acknowledged: Yes
References:
- https://gitlab.eurecom.fr/mosaic5g/flexric/-/blob/dev/src/sm/rc_sm/dec/rc_dec_asn.c
- https://gitlab.eurecom.fr/oai/openairinterface5g/-/tree/develop/openair2/E2AP
Product: Eurecom Mosaic5G FlexRIC v2.0.0 / OpenAirInterface5G gNB CU-UP – v2.1.0
Component: OAI gNB nr-softmodem simulation (CU-UP) using FlexRIC-based xApps
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
A denial-of-service (DoS) vulnerability exists in the CU-UP's handling of the Traffic Control (TC) Service Model in an O-RAN 2.1.0 deployment. A malicious xApp (e.g., xapp_tc_codel) can craft and send an invalid E2 RIC Control message that includes a granulPeriod element — intended for the KPM Service Model — within the TC Service Model payload. This unexpected payload structure causes the CU-UP's TC decoder (dec_tc_crtl_payload_shp) to fail validation and crash instead of responding with a proper E2 Failure message. The crash results in disconnection of the CU-CP and CU-UP, followed by an F1 reset and UE context release.
Attack Vector:
An attacker could craft a malicious xApp that sends a Traffic Control message, triggering an assertion failure.
Vendor Acknowledged: Yes
References:
- https://gitlab.eurecom.fr/mosaic5g/flexric/-/blob/dev/src/sm/tc_sm/dec/tc_dec_plain.c
- https://gitlab.eurecom.fr/oai/openairinterface5g/-/tree/develop/openair2/E2AP
Product: OpenAirInterface5G gNB/DU simulator implementation – v2.1.0
Component: OAI gNB nr-softmodem simulation (DU) using FlexRIC-based xApps
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
A denial-of-service (DoS) vulnerability exists in the MAC Service Model decoder of the O-RAN 2.1.0 Distributed Unit (DU), where sending a crafted E2AP RIC Control and RIC Subscription message with zeroed 3-byte RICcontrolHeader and RICcontrolMessage fields triggers an assertion failure due to incorrect length interpretation (mac_ctrl_hrd_t), leading to DU crash, disconnection of UEs and CUs.
Attack Vector:
A malicious xApp that sends a specific MAC service model message to the OAI DU can trigger an assertion failure.
Vendor Acknowledged: Yes
References:
- https://gitlab.eurecom.fr/mosaic5g/flexric/-/blob/dev/src/sm/mac_sm/dec/mac_dec_plain.c
- https://gitlab.eurecom.fr/oai/openairinterface5g/-/tree/develop/openair2/E2AP
Product: Eurecom Mosaic5G FlexRIC v2.0.0 / OpenAirInterface5G gNB CU-UP – v2.1.0
Component: OAI gNB nr-softmodem simulation (CU-UP) using FlexRIC-based xApps
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
A denial-of-service (DoS) vulnerability exists in the FlexRIC-based O-RAN 2.1.0 KPM implementation where sending a crafted E2SM-KPM Subscription message with a mutated testExpr field (e.g., changing from equal to lessthan) triggers an assertion failure in the CU-UP at ran_func_kpm.c. This causes the CU-UP to crash (exit code 139), leading to disconnection of all UEs and service disruption.
Attack Vector:
An attacker could craft a malicious xApp that sends a Subscription Request message, triggering an assertion failure.
Vendor Acknowledged: Yes
Reference: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm.c
Product: O-RAN-sc RIC I-Release
Component: near-RT RIC ric_e2term component
CWE: CWE-617 (Reachable Assertion)
CVSS Impact: Denial of Service
Description:
An issue in O-RAN-sc RIC I-Release allows a remote attacker to cause a denial of service via the near-RT RIC ric_e2term component.
Attack Vector:
Remote. An attacker could craft a malicious xApp that sends a specific RIC Control message, triggering an assertion failure.
| Date | Event |
|---|---|
| 2024-10-26 | CVE-2024-48408 assigned by MITRE |
| 2025-05-03 | Vulnerabilities reported to OpenAirInterface and FlexRIC developers via email |
| 2025-05-03 | No response received from vendors |
| 2025-12-05 | CVE-2025-67398 assigned by MITRE |
| 2026-03-30 | Public disclosure of all CVEs |
- A fuzzer/tool developed as part of this PhD research was used to discover these vulnerabilities and has been made publicly available:
ORANClaw E2 MitM Fuzzing
This disclosure follows responsible disclosure practices. All vendors were notified prior to publication.