CVE-2026-33062
Received Received - Intake
Improper Input Validation in free5GC NRF Causes DoS

Publication date: 2026-03-20

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
free5GC is an open source 5G core network. free5GC NRF prior to version 1.4.2 has an Improper Input Validation vulnerability leading to Denial of Service. All deployments of free5GC using the NRF discovery service are affected. The `EncodeGroupId` function attempts to access array indices [0], [1], [2] without validating the length of the split data. When the parameter contains insufficient separator characters, the code panics with "index out of range". A remote attacker can cause the NRF service to panic and crash by sending a crafted HTTP GET request with a malformed `group-id-list` parameter. This results in complete denial of service for the NRF discovery service. free5GC NRF version 1.4.2 fixes the issue. There is no direct workaround at the application level. The recommendation is to apply the provided patch or restrict access to the NRF API to trusted sources only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-27
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33062
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 1.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-33062 is an Improper Input Validation vulnerability in the free5GC NRF (Network Repository Function) discovery service component. The vulnerability occurs in the EncodeGroupId function, which processes the group-id-list HTTP GET parameter by splitting it and accessing specific array indices without verifying that the split result contains enough elements. If the parameter is malformed with insufficient separator characters, this causes a runtime panic due to an "index out of range" error. This panic crashes the NRF service, resulting in a denial of service.'}, {'type': 'paragraph', 'content': 'The root cause is that the code does not validate the length of the split data before accessing indices [0], [1], and [2]. A remote attacker can exploit this by sending a crafted HTTP GET request with a malformed group-id-list parameter, causing the NRF discovery service to crash.'}, {'type': 'paragraph', 'content': 'The issue was fixed in free5GC NRF version 1.4.2 by adding proper input validation, including regex-based format validation and robust JSON unmarshalling, to prevent malformed inputs from causing panics.'}] [1, 3, 4]


How can this vulnerability impact me? :

This vulnerability can cause a complete denial of service (DoS) for the free5GC NRF discovery service. When exploited, the service crashes due to a runtime panic triggered by malformed input parameters.

Since the NRF discovery service is critical for 5G core network function discovery, its unavailability can disrupt network operations that depend on it, potentially affecting service availability and reliability.

There is no direct application-level workaround; mitigation requires applying the patch introduced in free5GC NRF version 1.4.2 or restricting access to the NRF API to trusted sources only.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the NRF discovery service for runtime panics or crashes triggered by malformed HTTP GET requests containing the `group-id-list` parameter with insufficient separator characters.'}, {'type': 'paragraph', 'content': 'Specifically, sending a crafted HTTP GET request to the NRF Discovery API endpoint with a malformed `group-id-list` parameter that lacks the expected dash-separated format can reproduce the issue and cause the service to panic.'}, {'type': 'paragraph', 'content': 'For detection, you can use network traffic inspection tools or HTTP request testing tools (e.g., curl) to send test requests and observe the service behavior.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability by sending a malformed `group-id-list` parameter:'}, {'type': 'list_item', 'content': 'curl -v "http://<NRF_IP>:<NRF_PORT>/nnrf-disc/v1/nf-instances?group-id-list=malformed"'}, {'type': 'paragraph', 'content': 'If the service crashes or logs a runtime panic with an "index out of range" error, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs for panic stack traces referencing the EncodeGroupId function or runtime errors related to index out of range can help detect exploitation attempts.'}] [3, 4]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade free5GC NRF to version 1.4.2 or later, which includes patches that fix the improper input validation causing the runtime panic.

If immediate upgrade is not possible, restrict access to the NRF API to trusted sources only, limiting exposure to potentially malicious crafted requests.

There is no direct application-level workaround to prevent the panic other than applying the patch or upgrading.

The patch includes robust validation of the `group-id-list` and other parameters, returning HTTP 400 Bad Request errors for malformed inputs instead of crashing.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart