{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32937", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.282Z", "datePublished": "2026-03-20T02:43:18.754Z", "dateUpdated": "2026-03-20T02:43:18.754Z"}, "containers": {"cna": {"title": "free5GC CHF has Out-of-Bounds Slice Access that Leads to DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "lang": "en", "description": "CWE-129: Improper Validation of Array Index", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x"}, {"name": "https://github.com/free5gc/free5gc/issues/864", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/free5gc/issues/864"}, {"name": "https://github.com/free5gc/chf/pull/61", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/chf/pull/61"}, {"name": "https://github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e"}], "affected": [{"vendor": "free5gc", "product": "chf", "versions": [{"version": "< 1.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:43:18.754Z"}, "descriptions": [{"lang": "en", "value": "free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled."}], "source": {"advisory": "GHSA-6g43-577r-wf4x", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled."}], "id": "CVE-2026-32937", "lastModified": "2026-03-20T03:16:00.923", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:16:00.923", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e"}, {"source": "security-advisories@github.com", "url": "https://github.com/free5gc/chf/pull/61"}, {"source": "security-advisories@github.com", "url": "https://github.com/free5gc/free5gc/issues/864"}, {"source": "security-advisories@github.com", "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "chf", "vendor": "free5gc"}], "analysis": {"en": {"generated_at": "2026-03-20T04:50:35.451004+00:00", "value": {"mitigation_remediation": ["Apply the official patch or upgrade free5GC CHF to version 1.2.2 or later.", "If patching is not immediately possible, restrict access to the /nchf-convergedcharging/recharging endpoint to trusted NF callers only.", "Implement rate limiting or network ACLs to reduce repeated panic\u2011trigger attempts.", "If the recharge API is not required, temporarily disable or block external reachability to this route.", "Ensure panic recovery, monitoring, and alerting are enabled to detect HTTP 500 spikes and alert on potential abuse."], "summary": {"action": "Patch ASAP", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems include any deployment of free5GC CHF using the nchf-convergedcharging component with a version earlier than 1.2.2. The vulnerability is present in the internal/sbi package handling recharge requests. Official patches are available in version 1.2.2 and later, and several workarounds are recommended, such as restricting endpoint access to trusted NF callers, applying rate limiting or network ACLs, disabling the recharge API if unused, or ensuring panic recovery, monitoring, and alerting.", "description_and_impact": "Key detail from vendor description: free5GC CHF before version 1.2.2 contains an out\u2011of\u2011bounds slice access flaw in the nchf-convergedcharging service. A valid authenticated PUT request to the /nchf-convergedcharging/v3/recharging/:ueId endpoint with a ratingGroup query can cause a server\u2011side panic in the RechargePut handler, which in many deployments is converted to an HTTP 500 error. Repeated exploitation can degrade recharge functionality, flood logs, or, if recovery is not implemented, lead to more severe service disruption.", "risk_and_exploitability": "Risk assessment: The CVSS score is 7.1, indicating moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation. The likely attack vector is remote and requires a valid authenticated request to the recharge endpoint. An attacker can repeatedly send crafted requests to trigger the panic, resulting in denial of service of the recharge feature or, in deployments lacking adequate recovery, complete service failure. The overall risk is moderate but can be mitigated quickly by applying the available patch or following the recommended workarounds."}}}}, "created": "2026-03-20T08:53:00.289308+00:00", "updated": "2026-03-20T10:37:44.460139+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$chf"]}