CVE-2026-32937
Out-of-Bounds Slice Access in free5GC CHF Causes Service Panic
Publication date: 2026-03-20
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 1.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32937 is a denial-of-service vulnerability in the free5GC CHF (Converged Charging Function) component, specifically in the RechargePut API endpoint. The issue arises from improper handling of input parameters where the code expects a string containing an underscore delimiter separating the UE ID and rating group. If this format is not met, the code attempts to access an index in a split array that does not exist, causing an out-of-range slice access panic.
This panic causes the recharge endpoint to crash or become unavailable temporarily. In environments using the Gin framework with recovery middleware, the panic is converted into an HTTP 500 error, but the endpoint remains vulnerable to repeated panic triggers, which can degrade service and flood logs. Without such recovery, the panic may cause more severe service disruption.
The vulnerability was fixed by changing the API to separate the UE ID and rating group into distinct parameters, adding input validation to prevent out-of-range access, improving error handling to return proper HTTP 400 responses for invalid input, and adding logging for malformed requests.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can be exploited by sending valid authenticated PUT requests with malformed input to the recharge endpoint, causing the server to panic and the recharge functionality to become unavailable temporarily.'}, {'type': 'paragraph', 'content': 'Repeated exploitation can degrade the recharge service, flood server logs, and potentially cause denial-of-service conditions. In deployments without panic recovery mechanisms, the impact can be more severe, possibly leading to complete service disruption.'}, {'type': 'paragraph', 'content': "Such disruptions can affect the availability and reliability of the 5G core network's charging functions, impacting billing and service continuity."}] [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for repeated HTTP 500 Internal Server Error responses from the `/nchf-convergedcharging/v3/recharging/:ueId` API endpoint when PUT requests are made. Logs may show panic stack traces related to out-of-range slice access in the RechargePut handler.'}, {'type': 'paragraph', 'content': 'Detection can be facilitated by enabling detailed error logging on the CHF service, which now logs errors related to malformed or missing `ratingGroup` parameters, as well as invalid input causing panics.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect attempts or exploitation include:'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump or Wireshark) to capture PUT requests to the recharge endpoint and inspect for malformed or suspicious requests.'}, {'type': 'list_item', 'content': 'Check application logs for repeated HTTP 500 errors or panic stack traces referencing `RechargePut` or out-of-range slice access.'}, {'type': 'list_item', 'content': "Example command to search logs for panic occurrences: `grep -i 'panic' /var/log/free5gc/chf.log | grep RechargePut`"}, {'type': 'list_item', 'content': "Example command to monitor HTTP 500 responses on the recharge endpoint: `grep 'PUT /nchf-convergedcharging/v3/recharging/' /var/log/free5gc/access.log | grep ' 500 '`"}] [1, 2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable recharge endpoint to only strictly trusted network function callers.
Apply rate limiting or network access control lists (ACLs) on the CHF SBI interface to reduce the risk of repeated panic-triggering requests.
If the recharge API is not required in your deployment, temporarily disable or block external access to the `/nchf-convergedcharging/v3/recharging/:ueId` route.
Ensure that panic recovery middleware, monitoring, and alerting mechanisms are enabled to detect and respond to panic events and service disruptions.
Apply the official patch that includes input validation and error handling improvements to prevent the out-of-range panic, as merged in free5gc/chf pull request #61.