CVE-2026-32937: Out-of-Bounds Slice Access in free5GC CHF Leading to DoS
(updated )
This is an out-of-bounds slice access vulnerability in the CHF nchf-convergedcharging service.
A valid authenticated request to PUT /nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=... can trigger a server-side panic in github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...) due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption.
References
- github.com/advisories/GHSA-6g43-577r-wf4x
- github.com/free5gc/chf
- github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e
- github.com/free5gc/chf/pull/61
- github.com/free5gc/free5gc/issues/864
- github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x
- nvd.nist.gov/vuln/detail/CVE-2026-32937
Code Behaviors & Features
Detect and mitigate CVE-2026-32937 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →