CVE-2026-33062

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 1.4.2

Description This issue is an Improper Input Validation leading to Denial of Service in free5GC NRF. All deployments of free5GC using the NRF discovery service are affected. The EncodeGroupId function attempts to access array indices [0],[1],[2] without validating the length of the split data. When the group-id-list parameter contains insufficient separator characters in an HTTP GET request, the code panics with an "index out of range" error. A remote attacker can cause the NRF service to panic and crash by sending a crafted HTTP GET request with a malformed group-id-list parameter, resulting in a complete denial of service for the NRF discovery service. The API endpoint involved is the NRF API.

Recommendations free5GC versions prior to 1.4.2: Apply the provided patch or restrict access to the NRF API to trusted sources only.