CVE-2026-32937 Overview
CVE-2026-32937 is an out-of-bounds slice access vulnerability affecting free5GC, an open source 5G core network implementation. The vulnerability exists in the free5GC CHF (Charging Function) component's nchf-convergedcharging service prior to version 1.2.2. An authenticated attacker can send a specially crafted request to the recharge endpoint that triggers a server-side panic due to improper array bounds validation, leading to denial of service conditions.
The vulnerability resides in the github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...) function, where insufficient validation of input parameters allows out-of-range slice access. While the Gin framework's recovery middleware typically converts such panics into HTTP 500 responses, the vulnerable code path remains exploitable for repeated denial of service attacks.
Critical Impact
Authenticated attackers can repeatedly trigger server-side panics in the CHF recharge service, degrading 5G core network charging functionality and potentially causing complete service disruption in deployments without adequate panic recovery mechanisms.
Affected Products
- free5GC CHF (Charging Function) versions prior to 1.2.2
- free5GC 5G core network deployments using the vulnerable CHF component
- Systems exposing the nchf-convergedcharging SBI interface to untrusted network functions
Discovery Timeline
- 2026-03-20 - CVE-2026-32937 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-32937
Vulnerability Analysis
This vulnerability is classified under CWE-129 (Improper Validation of Array Index), which occurs when the software uses untrusted input to access an array element without properly validating that the index falls within valid boundaries. In the context of Go programming, this manifests as an out-of-bounds slice access that triggers a runtime panic.
The vulnerable code path is accessible through authenticated requests to the PUT /nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=... endpoint. When an attacker provides a malicious ratingGroup parameter value, the application attempts to access a slice element at an invalid index position. Go's runtime detects this boundary violation and triggers a panic, disrupting normal service operation.
In deployments utilizing Gin's default recovery middleware, the panic is caught and converted to an HTTP 500 Internal Server Error response, preventing complete process termination. However, this recovery mechanism does not prevent repeated exploitation—attackers can continuously trigger panics to degrade recharge functionality, generate excessive error logs, and potentially exhaust system resources.
Root Cause
The root cause is improper validation of array index input in the RechargePut handler function within the CHF SBI (Service-Based Interface) implementation. The code fails to verify that the ratingGroup parameter falls within the valid range of the target slice before attempting access. This missing bounds check allows authenticated callers to specify arbitrary index values that exceed the slice capacity.
The vulnerability follows a classic pattern where user-controlled input is used directly as an array/slice index without proper sanitization, resulting in CWE-129. The fix involves adding proper bounds validation before any slice access operations.
Attack Vector
The attack is network-based and requires low-privilege authentication as a valid Network Function (NF) caller. Exploitation follows this pattern:
- The attacker establishes an authenticated session with the CHF's SBI interface
- A PUT request is crafted targeting /nchf-convergedcharging/v3/recharging/:ueId with a malicious ratingGroup query parameter
- The ratingGroup value is set to an index that exceeds the bounds of the internal slice structure
- The RechargePut handler attempts to access the slice at the invalid index
- Go runtime detects the out-of-bounds access and triggers a panic
- Depending on deployment configuration, this either results in HTTP 500 (with recovery) or service crash (without recovery)
The vulnerability exploits improper bounds validation in the github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...) function. When a malicious ratingGroup parameter is supplied to the recharge endpoint, the code attempts to access a slice element without first verifying the index is within valid bounds. This triggers a Go runtime panic that disrupts service availability. For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32937
Indicators of Compromise
- Repeated HTTP 500 responses from the /nchf-convergedcharging/v3/recharging/ endpoint with panic-related error messages in application logs
- Log entries containing runtime error: index out of range in conjunction with the RechargePut function
- Unusual volume of PUT requests to the recharge endpoint from a single source or with abnormal ratingGroup parameter values
- CHF service restarts or availability interruptions correlated with specific API traffic patterns
Detection Strategies
- Implement log monitoring for Go runtime panic messages specifically in the CHF component, filtering for index out of range errors in the sbi.(*Server).RechargePut call stack
- Deploy application-layer firewalls to inspect and validate ratingGroup query parameters on the nchf-convergedcharging recharge endpoints
- Configure alerting on elevated HTTP 500 response rates from the CHF service that exceed baseline thresholds
- Monitor for authentication patterns showing repeated failed or suspicious requests to charging-related endpoints
Monitoring Recommendations
- Enable detailed request logging for all nchf-convergedcharging API calls including full query parameters
- Implement rate limiting metrics collection to identify potential DoS exploitation attempts
- Configure uptime monitoring and automatic restart alerting for the CHF service component
- Establish baseline metrics for recharge endpoint response times and error rates to detect anomalies
How to Mitigate CVE-2026-32937
Immediate Actions Required
- Upgrade free5GC CHF to version 1.2.2 or later which contains the security patch
- Restrict access to the nchf-convergedcharging recharge endpoint to strictly trusted NF callers only using network segmentation
- Apply rate limiting and network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts
- If the recharge API is not operationally required, temporarily disable or block external reachability to this route
Patch Information
The vulnerability has been patched in free5GC CHF version 1.2.2. The fix adds proper bounds validation before slice access operations in the RechargePut handler. Organizations should apply this patch as the primary remediation measure.
Relevant patch resources:
- GitHub Commit with Fix (commit 55af766f321a00afa978e806548c96f8a7d2433e)
- Pull Request #61
- Security Advisory GHSA-6g43-577r-wf4x
Workarounds
- Implement network-level access controls to limit CHF SBI interface exposure to only authenticated and authorized internal network functions
- Deploy a reverse proxy or API gateway with input validation rules to sanitize ratingGroup parameters before they reach the CHF service
- Enable comprehensive panic recovery middleware with alerting to maintain service availability while generating security notifications
- Consider temporarily disabling the vulnerable recharge endpoint if it is not critical to current operations
# Example: Network ACL to restrict CHF SBI access
# Allow only trusted NF IP ranges to reach the CHF service
iptables -A INPUT -p tcp --dport 8000 -s 10.5.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
# Example: Rate limiting with iptables to mitigate repeated exploitation
iptables -A INPUT -p tcp --dport 8000 -m connlimit --connlimit-above 50 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
