Listen to this Post
An integer divide-by-zero vulnerability was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) within the E2SM-KPM RAN Function’s PRB utilization metric calculation. The vulnerable functions `fill_RRU_PrbTotDl()` and `fill_RRU_PrbTotUl()` in `openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c` (lines 182 and 197) compute PRB usage percentages by dividing by the difference between two consecutive `total_prb_aggregate` samples without any zero‑check. A remote, unauthenticated attacker can exploit this by using a malicious xApp to send a high volume of `E42_RIC_SUBSCRIPTION_REQUEST` messages via the FlexRIC iApp on SCTP port 36422. This forces the E2 Agent to generate KPM Indication reports at a high frequency. If two consecutive sampling intervals happen to produce identical PRB aggregate values, the divisor becomes zero, triggering a `SIGFPE` signal. The floating‑point exception crashes the entire `nr-softmodem` process, which halts all 5G cell services for all connected UEs. No authentication is required to launch this attack. The vulnerability is rooted in the missing zero‑divisor validation before performing the division. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, reflecting a high severity (CVSS base score 8.6). As of the publication date, no official patch is available, but a fix has been proposed that adds a zero‑check, returning `0` when the divisor is zero to avoid the crash. The vulnerability was publicly disclosed on June 1, 2026.
DailyCVE Form:
Platform: OpenAirInterface5G
Version: 2.4.0
Vulnerability: Divide‑by‑zero
Severity: High (8.6)
Date: June 1, 2026
Prediction: Late June 2026
What Undercode Say
Check running nr-softmodem process ps aux | grep nr-softmodem Monitor SCTP traffic on port 36422 sudo tcpdump -i eth0 -s0 -X 'port 36422' Analyze core dump for SIGFPE gdb nr-softmodem core.12345 (gdb) frame 0 (gdb) info registers (gdb) list
Quick code check (inspect divisor) grep -A5 -B5 "total_prb_aggregate" openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c
How Exploit
- Set up a malicious xApp that connects to the FlexRIC iApp on SCTP port
36422. - Rapidly send `E42_RIC_SUBSCRIPTION_REQUEST` messages to force high‑frequency KPM reporting.
- Wait until two consecutive `total_prb_aggregate` samples are identical → divisor zero.
- Observe `nr-softmodem` crash with
SIGFPE, bringing down the 5G cell.
Example packet (conceptual):
E42_RIC_SUBSCRIPTION_REQUEST - ric_req_action: REPORT - reporting_period: 10 ms - metrics: PRB_UTIL_DL, PRB_UTIL_UL
Protection
- Rate‑limit KPM subscription requests on the iApp (port 36422).
- Apply the proposed fix: add zero‑division checks in `fill_RRU_PrbTotDl()` and
fill_RRU_PrbTotUl(). - Isolate the FlexRIC control plane from untrusted networks.
- Monitor logs for repeated `E42_RIC_SUBSCRIPTION_REQUEST` floods.
Impact
- Availability – Complete outage of the 5G base station (
nr-softmodemcrash). - Service – All connected UEs lose 5G cell connectivity.
- Attack vector – Remote, unauthenticated, low complexity.
- Business – Severe disruption to 5G network operations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
