Description
free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled.
Published: 2026-03-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via server-side panic triggered by an out-of-bounds slice access in free5GC CHF's recharge API
Action: Immediate Patch
AI Analysis

Impact

An out-of-bounds slice access in the free5GC Converged Charging Function’s recharge endpoint causes a server panic that is converted to an HTTP 500 response. Repeated authenticated attempts can degrade recharge functionality, flood logs, and in environments lacking recovery handling, may lead to full service disruption. This represents a CWE‑129 vulnerability that impacts availability.

Affected Systems

The vulnerability affects free5GC CHF deployments running versions prior to 1.2.2. Any installation exposing the /nchf-convergedcharging/v3/recharging/:ueId endpoint to authenticated calls is potentially affected. The issue is specific to the CHF's recharge handling logic and is addressed in later releases of free5GC.

Risk and Exploitability

With a CVSS score of 7.1 and an EPSS of less than 1%, the risk is high but exploitation likelihood is low. The attack vector is an authenticated API call to a protected endpoint; an attacker who can obtain valid credentials for the SF interface can trigger the panic repeatedly. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no widespread public exploitation yet.

Generated by OpenCVE AI on March 27, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading free5GC CHF to version 1.2.2 or later.
  • If patching is delayed, restrict the recharge endpoint to trusted NF callers only, using network ACLs or firewall rules.
  • Deploy rate limiting on the SBI interface to reduce repeated panic attempts.
  • If the recharge API is not required, disable or block external access to the /nchf-convergedcharging route.
  • Ensure panic recovery, monitoring, and alerting are enabled to detect and respond to unexpected server panics.

Generated by OpenCVE AI on March 27, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6g43-577r-wf4x Out-of-Bounds Slice Access in free5GC CHF Leading to DoS
History

Fri, 27 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc free5gc
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*
Vendors & Products Free5gc free5gc
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc chf
Vendors & Products Free5gc
Free5gc chf

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled.
Title free5GC CHF has Out-of-Bounds Slice Access that Leads to DoS
Weaknesses CWE-129
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Free5gc Chf Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:56:21.132Z

Reserved: 2026-03-17T00:05:53.282Z

Link: CVE-2026-32937

cve-icon Vulnrichment

Updated: 2026-03-20T19:55:51.606Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T03:16:00.923

Modified: 2026-03-27T17:21:06.170

Link: CVE-2026-32937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:50Z

Weaknesses