FKIE_CVE-2026-32937

Vulnerability from fkie_nvd - Published: 2026-03-20 03:16 - Updated: 2026-03-20 13:37
Severity ?
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled.
References
security-advisories@github.comhttps://github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e
security-advisories@github.comhttps://github.com/free5gc/chf/pull/61
security-advisories@github.comhttps://github.com/free5gc/free5gc/issues/864
security-advisories@github.comhttps://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled."
    },
    {
      "lang": "es",
      "value": "free5GC es una red central 5G de c\u00f3digo abierto. free5GC CHF anterior a la versi\u00f3n 1.2.2 tiene una vulnerabilidad de acceso a una porci\u00f3n fuera de l\u00edmites en el servicio CHF \u0027nchf-convergedcharging\u0027. Una solicitud autenticada v\u00e1lida a PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` puede desencadenar un p\u00e1nico del lado del servidor en \u0027github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)\u0027 debido a un acceso a una porci\u00f3n fuera de rango. En el tiempo de ejecuci\u00f3n reportado, la recuperaci\u00f3n de Gin convierte el p\u00e1nico en HTTP 500, pero la ruta de recarga permanece remotamente susceptible de desencadenar un p\u00e1nico y puede ser abusada repetidamente para degradar la funcionalidad de recarga e inundar los registros. En implementaciones sin un manejo de recuperaci\u00f3n equivalente, este p\u00e1nico puede causar una interrupci\u00f3n del servicio m\u00e1s grave. free5GC CHF aplica un parche al problema. Algunas soluciones alternativas est\u00e1n disponibles: Restringir el acceso al punto final de recarga \u0027nchf-convergedcharging\u0027 solo a llamadores NF estrictamente confiables; aplicar limitaci\u00f3n de velocidad o ACL de red delante de la interfaz SBI del CHF para reducir los intentos repetidos de desencadenar p\u00e1nicos; si la API de recarga no es necesaria, deshabilitar o bloquear temporalmente la accesibilidad externa a esta ruta; y/o asegurar que la recuperaci\u00f3n de p\u00e1nicos, el monitoreo y las alertas est\u00e9n habilitados."
    }
  ],
  "id": "CVE-2026-32937",
  "lastModified": "2026-03-20T13:37:50.737",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T03:16:00.923",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/chf/pull/61"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/issues/864"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-129"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.