CVE-2026-32937 is a vulnerability in the free5GC open-source 5G core network's CHF (Converged Charging Function) component, specifically in versions prior to 1.2.2. The issue arises from improper validation of array indexes (CWE-129) in the `nchf-convergedcharging` service. An authenticated attacker can send a specially crafted PUT request to the `/nchf-convergedcharging/v3/recharging/:ueId` endpoint with manipulated query parameters such as `ratingGroup`. This triggers an out-of-bounds slice access in the Go code at `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)`, causing a runtime panic. In environments using Gin recovery middleware, this panic is converted into an HTTP 500 error, preventing a full crash but still allowing repeated triggering that degrades recharge functionality and floods logs. In deployments lacking such recovery, the panic may cause the CHF service to crash, resulting in more severe availability disruptions. The recharge endpoint is critical for managing subscriber charging and balance updates in 5G networks, so disruption can impact billing and service continuity. The vulnerability requires authentication but no user interaction, and the attack surface is limited to network functions with access to the CHF SBI interface. No known exploits are reported in the wild yet. The free5GC project has patched the issue in version 1.2.2. Workarounds include restricting endpoint access to trusted network functions, applying rate limiting or network ACLs, disabling the recharge API if unused, and ensuring robust panic recovery and monitoring are implemented.

The primary impact of CVE-2026-32937 is on the availability of the free5GC CHF service, which is responsible for converged charging in 5G core networks. Successful exploitation can cause repeated server panics, leading to degraded recharge functionality and potential denial of service. This can disrupt subscriber charging operations, affecting billing accuracy and potentially causing service interruptions for end users. The flooding of logs may also impact system performance and complicate incident response. In deployments without proper panic recovery, the CHF service could crash entirely, causing more severe outages in the 5G core network. Given the critical role of charging functions in telecom networks, this vulnerability poses a significant risk to network operators relying on free5GC, potentially affecting revenue and customer trust. The vulnerability requires authenticated access, limiting exposure to internal or trusted network functions, but if those are compromised or misconfigured, the risk increases. No known active exploitation reduces immediate risk, but the ease of triggering the panic and the availability impact warrant prompt remediation.

To mitigate CVE-2026-32937, organizations should upgrade free5GC CHF to version 1.2.2 or later where the vulnerability is patched. Until upgrading, restrict access to the `/nchf-convergedcharging/v3/recharging/:ueId` endpoint strictly to trusted network functions (NFs) using network segmentation and strong authentication controls. Implement rate limiting on the CHF SBI interface to prevent repeated triggering of the panic condition. Deploy network ACLs or firewall rules to limit exposure of the recharge API to only necessary internal components. If the recharge API is not required in the deployment, disable or block external reachability to this endpoint entirely. Ensure that the Gin recovery middleware or equivalent panic recovery mechanisms are enabled and properly configured to handle runtime panics gracefully, preventing service crashes. Establish monitoring and alerting on CHF service logs and metrics to detect abnormal panic events or service degradation promptly. Conduct regular security audits and penetration testing focused on internal NF interfaces to identify and remediate similar vulnerabilities proactively.