Suse
CVE-2026-32937
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
This is an out-of-bounds slice access vulnerability in the CHF nchf-convergedcharging service. A valid authenticated request to PUT /nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=... can trigger a server-side panic in github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...) due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption.
Patches
https://github.com/free5gc/chf/pull/61
Workarounds
- Restrict access to the
nchf-convergedchargingrecharge endpoint to strictly trusted NF callers only. - Apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts.
- If the recharge API is not required, temporarily disable or block external reachability to this route.
- Ensure panic recovery, monitoring, and alerting are enabled.
AnalysisAI
Out-of-bounds slice access in the Free5GC CHF nchf-convergedcharging service allows authenticated attackers to trigger server-side panics via malformed PUT requests to the recharge endpoint, causing denial of service and log flooding. An attacker with valid authentication credentials can repeatedly exploit this vulnerability to degrade recharge functionality and disrupt service availability. A patch is available to remediate this high-severity vulnerability.
Technical ContextAI
This vulnerability affects the free5gc CHF (Charging Function) implementation, which is a Go-based network function in 5G core network architectures responsible for converged charging services. The affected component is pkg:go/github.com_free5gc_chf, specifically in the github.com/free5gc/chf/internal/sbi.(*Server).RechargePut() function. The root cause is classified as CWE-129 (Improper Validation of Array Index), where user-supplied input in the ratingGroup query parameter of the recharge API endpoint is used to access a slice without proper bounds checking. In 5G networks, the CHF service handles charging data records (CDRs) and quota management between network functions, making availability critical for billing operations. The vulnerability manifests when processing authenticated PUT requests to /nchf-convergedcharging/v3/recharging/:ueId with malicious ratingGroup values, causing Go runtime panics due to out-of-range slice indexing.
RemediationAI
Apply the patch available in pull request https://github.com/free5gc/chf/pull/61 or upgrade to a version containing commit 55af766f321a00afa978e806548c96f8a7d2433e which addresses the out-of-bounds slice access vulnerability. Review the vendor security advisory at https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x for complete remediation guidance. Until patching is feasible, implement the following compensating controls: restrict network access to the nchf-convergedcharging recharge endpoint using firewall rules or network ACLs to allow only strictly trusted network function callers, apply rate limiting at reverse proxy or API gateway layers to mitigate repeated panic-trigger attempts, and if recharge functionality is not actively required, temporarily disable or block external access to the /nchf-convergedcharging/v3/recharging route. Ensure panic recovery middleware is enabled and configure comprehensive monitoring with alerting on HTTP 500 errors and panic log patterns to detect exploitation attempts. Validate that authentication mechanisms for CHF SBI interfaces follow principle of least privilege and rotate any credentials that may have been exposed to untrusted parties.
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-6g43-577r-wf4x