In OpenAirInterface5G version 2.4.0, the E2SM-KPM RAN Function's PRB utilization metric calculation in functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() divides by the difference between two consecutive total_prb_aggregate samples without validating that this difference is non-zero. When a malicious xApp sends numerous E42_RIC_SUBSCRIPTION_REQUEST messages via the FlexRIC iApp interface, the E2 Agent produces KPM Indication reports at a high rate. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, causing a SIGFPE (floating point exception) that crashes the nr-softmodem process. This results in a total outage of the 5G base station's cell service, impacting all connected devices. The vulnerability requires no authentication, making it accessible to unauthenticated attackers. No patch or vendor advisory has been provided to date.

Exploitation causes the nr-softmodem process of the 5G base station to crash due to an unhandled division by zero error, resulting in a complete loss of 5G cell service for all connected user equipment. This denial of service condition can be triggered remotely without authentication by sending a high volume of subscription requests. The outage affects availability of the 5G network cell served by the vulnerable base station.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider restricting or monitoring access to the FlexRIC iApp interface (port 36422/SCTP) to limit exposure to unauthenticated subscription requests that could trigger this vulnerability.