Skip to main content

Suse CVE-2026-32937

HIGH
Improper Validation of Array Index (CWE-129)
2026-03-18 https://github.com/free5gc/chf GHSA-6g43-577r-wf4x
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
Patch released
Mar 18, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 18, 2026 - 17:26 nvd
HIGH 7.1

DescriptionGitHub Advisory

Impact

This is an out-of-bounds slice access vulnerability in the CHF nchf-convergedcharging service. A valid authenticated request to PUT /nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=... can trigger a server-side panic in github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...) due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption.

Patches

https://github.com/free5gc/chf/pull/61

Workarounds

  • Restrict access to the nchf-convergedcharging recharge endpoint to strictly trusted NF callers only.
  • Apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts.
  • If the recharge API is not required, temporarily disable or block external reachability to this route.
  • Ensure panic recovery, monitoring, and alerting are enabled.

AnalysisAI

Out-of-bounds slice access in the Free5GC CHF nchf-convergedcharging service allows authenticated attackers to trigger server-side panics via malformed PUT requests to the recharge endpoint, causing denial of service and log flooding. An attacker with valid authentication credentials can repeatedly exploit this vulnerability to degrade recharge functionality and disrupt service availability. A patch is available to remediate this high-severity vulnerability.

Technical ContextAI

This vulnerability affects the free5gc CHF (Charging Function) implementation, which is a Go-based network function in 5G core network architectures responsible for converged charging services. The affected component is pkg:go/github.com_free5gc_chf, specifically in the github.com/free5gc/chf/internal/sbi.(*Server).RechargePut() function. The root cause is classified as CWE-129 (Improper Validation of Array Index), where user-supplied input in the ratingGroup query parameter of the recharge API endpoint is used to access a slice without proper bounds checking. In 5G networks, the CHF service handles charging data records (CDRs) and quota management between network functions, making availability critical for billing operations. The vulnerability manifests when processing authenticated PUT requests to /nchf-convergedcharging/v3/recharging/:ueId with malicious ratingGroup values, causing Go runtime panics due to out-of-range slice indexing.

RemediationAI

Apply the patch available in pull request https://github.com/free5gc/chf/pull/61 or upgrade to a version containing commit 55af766f321a00afa978e806548c96f8a7d2433e which addresses the out-of-bounds slice access vulnerability. Review the vendor security advisory at https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x for complete remediation guidance. Until patching is feasible, implement the following compensating controls: restrict network access to the nchf-convergedcharging recharge endpoint using firewall rules or network ACLs to allow only strictly trusted network function callers, apply rate limiting at reverse proxy or API gateway layers to mitigate repeated panic-trigger attempts, and if recharge functionality is not actively required, temporarily disable or block external access to the /nchf-convergedcharging/v3/recharging route. Ensure panic recovery middleware is enabled and configure comprehensive monitoring with alerting on HTTP 500 errors and panic log patterns to detect exploitation attempts. Validate that authentication mechanisms for CHF SBI interfaces follow principle of least privilege and rotate any credentials that may have been exposed to untrusted parties.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy