CVE-2026-32937

{"id": "CVE-2026-32937", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T03:16:00.923", "references": [{"url": "https://github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/chf/pull/61", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/free5gc/issues/864", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-129"}]}], "descriptions": [{"lang": "en", "value": "free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled."}, {"lang": "es", "value": "free5GC es una red central 5G de c\u00f3digo abierto. free5GC CHF anterior a la versi\u00f3n 1.2.2 tiene una vulnerabilidad de acceso a una porci\u00f3n fuera de l\u00edmites en el servicio CHF 'nchf-convergedcharging'. Una solicitud autenticada v\u00e1lida a PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` puede desencadenar un p\u00e1nico del lado del servidor en 'github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)' debido a un acceso a una porci\u00f3n fuera de rango. En el tiempo de ejecuci\u00f3n reportado, la recuperaci\u00f3n de Gin convierte el p\u00e1nico en HTTP 500, pero la ruta de recarga permanece remotamente susceptible de desencadenar un p\u00e1nico y puede ser abusada repetidamente para degradar la funcionalidad de recarga e inundar los registros. En implementaciones sin un manejo de recuperaci\u00f3n equivalente, este p\u00e1nico puede causar una interrupci\u00f3n del servicio m\u00e1s grave. free5GC CHF aplica un parche al problema. Algunas soluciones alternativas est\u00e1n disponibles: Restringir el acceso al punto final de recarga 'nchf-convergedcharging' solo a llamadores NF estrictamente confiables; aplicar limitaci\u00f3n de velocidad o ACL de red delante de la interfaz SBI del CHF para reducir los intentos repetidos de desencadenar p\u00e1nicos; si la API de recarga no es necesaria, deshabilitar o bloquear temporalmente la accesibilidad externa a esta ruta; y/o asegurar que la recuperaci\u00f3n de p\u00e1nicos, el monitoreo y las alertas est\u00e9n habilitados."}], "lastModified": "2026-03-27T17:21:06.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CF52F6B-5D2D-4F80-8BA2-A3E5177B3917", "versionEndExcluding": "1.2.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}