Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33062 is an Improper Input Validation vulnerability in the free5GC NRF (Network Repository Function) discovery service component. The vulnerability occurs in the EncodeGroupId function, which processes the group-id-list HTTP GET parameter by splitting it and accessing specific array indices without verifying that the split result contains enough elements. If the parameter is malformed with insufficient separator characters, this causes a runtime panic due to an "index out of range" error. This panic crashes the NRF service, resulting in a denial of service.'}, {'type': 'paragraph', 'content': 'The root cause is that the code does not validate the length of the split data before accessing indices [0], [1], and [2]. A remote attacker can exploit this by sending a crafted HTTP GET request with a malformed group-id-list parameter, causing the NRF discovery service to crash.'}, {'type': 'paragraph', 'content': 'The issue was fixed in free5GC NRF version 1.4.2 by adding proper input validation, including regex-based format validation and robust JSON unmarshalling, to prevent malformed inputs from causing panics.'}] [1, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a complete denial of service (DoS) for the free5GC NRF discovery service. When exploited, the service crashes due to a runtime panic triggered by malformed input parameters.

Since the NRF discovery service is critical for 5G core network function discovery, its unavailability can disrupt network operations that depend on it, potentially affecting service availability and reliability.

There is no direct application-level workaround; mitigation requires applying the patch introduced in free5GC NRF version 1.4.2 or restricting access to the NRF API to trusted sources only.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the NRF discovery service for runtime panics or crashes triggered by malformed HTTP GET requests containing the `group-id-list` parameter with insufficient separator characters.'}, {'type': 'paragraph', 'content': 'Specifically, sending a crafted HTTP GET request to the NRF Discovery API endpoint with a malformed `group-id-list` parameter that lacks the expected dash-separated format can reproduce the issue and cause the service to panic.'}, {'type': 'paragraph', 'content': 'For detection, you can use network traffic inspection tools or HTTP request testing tools (e.g., curl) to send test requests and observe the service behavior.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability by sending a malformed `group-id-list` parameter:'}, {'type': 'list_item', 'content': 'curl -v "http://<NRF_IP>:<NRF_PORT>/nnrf-disc/v1/nf-instances?group-id-list=malformed"'}, {'type': 'paragraph', 'content': 'If the service crashes or logs a runtime panic with an "index out of range" error, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs for panic stack traces referencing the EncodeGroupId function or runtime errors related to index out of range can help detect exploitation attempts.'}] [3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade free5GC NRF to version 1.4.2 or later, which includes patches that fix the improper input validation causing the runtime panic.

If immediate upgrade is not possible, restrict access to the NRF API to trusted sources only, limiting exposure to potentially malicious crafted requests.

There is no direct application-level workaround to prevent the panic other than applying the patch or upgrading.

The patch includes robust validation of the `group-id-list` and other parameters, returning HTTP 400 Bad Request errors for malformed inputs instead of crashing.

Useful 0 Not Useful 0