CVE-2026-32937

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 1.2.2

Description free5GC CHF has an out-of-bounds slice access issue within the nchf-convergedcharging service. A valid, authenticated request to the /nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=... API Endpoint can cause a server-side panic in the github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...) function due to an out-of-range slice access. While Gin recovery may convert the panic into an HTTP 500 error, the recharge path remains susceptible to repeated panic triggers, potentially degrading recharge functionality and flooding logs. Deployments lacking equivalent recovery mechanisms may experience more significant service disruptions. The issue involves accessing a slice outside its defined bounds, leading to unexpected program behavior.

Recommendations Versions prior to 1.2.2: Restrict access to the nchf-convergedcharging recharge endpoint to only trusted NF callers. Versions prior to 1.2.2: Implement rate limiting or network ACLs before the CHF SBI interface to reduce repeated attempts to trigger the panic. Versions prior to 1.2.2: If the recharge API is not required, temporarily disable or block external access to this route. Versions prior to 1.2.2: Ensure panic recovery, monitoring, and alerting are enabled.