CVE-2026-32937 is a vulnerability classified under CWE-129 (Improper Validation of Array Index) found in the free5GC open-source 5G core network's CHF (Converged Charging Function) component, specifically in versions prior to 1.2.2. The flaw exists in the `nchf-convergedcharging` service's recharge API endpoint, which handles PUT requests to `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...`. When processing such a request, the server-side function `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` improperly validates array indices, leading to out-of-bounds slice access. This triggers a runtime panic in Go, which, if unhandled, can crash the service. In typical deployments using the Gin web framework, the panic is caught and converted into an HTTP 500 Internal Server Error response, preventing a full crash but allowing denial-of-service conditions through repeated exploitation. Attackers with valid authentication credentials can exploit this remotely without user interaction, repeatedly triggering the panic to degrade the recharge functionality and flood system logs, potentially impacting the availability of charging services. The vulnerability does not affect confidentiality or integrity directly but poses a significant availability risk. Mitigations include patching to version 1.2.2 or later, restricting access to the recharge endpoint to trusted network functions, implementing rate limiting and network ACLs to limit abuse, disabling the recharge API if not needed, and ensuring panic recovery and monitoring are in place to detect and respond to exploitation attempts. No known exploits are reported in the wild as of publication.

The primary impact of CVE-2026-32937 is on the availability of the free5GC CHF recharge service, a critical component in 5G core networks responsible for charging and billing functions. Successful exploitation can cause repeated server panics, resulting in HTTP 500 errors and degraded service performance. In environments without proper panic recovery, the vulnerability could lead to full service crashes, causing denial-of-service conditions that disrupt charging operations. This disruption can affect subscriber billing, service continuity, and network operator revenue assurance. Additionally, log flooding may obscure detection of other issues and increase operational overhead. Since the vulnerability requires valid authentication but no user interaction, insider threats or compromised network functions could exploit it. The impact is significant for mobile network operators deploying free5GC CHF, especially those exposing the recharge API externally or lacking robust access controls. While confidentiality and integrity are not directly compromised, the availability degradation can indirectly affect overall network reliability and customer experience.

1. Upgrade free5GC CHF to version 1.2.2 or later where the vulnerability is patched. 2. Restrict access to the `/nchf-convergedcharging/v3/recharging/:ueId` endpoint strictly to trusted network functions (NFs) using strong authentication and network segmentation. 3. Implement rate limiting on the recharge API to prevent repeated triggering of the panic, using API gateways or firewall rules. 4. Apply network ACLs or firewall rules to limit exposure of the CHF SBI interface to only authorized internal systems. 5. If the recharge API is not required in the deployment, disable or block external reachability to this endpoint to eliminate the attack surface. 6. Ensure robust panic recovery mechanisms are enabled in the deployment environment to prevent service crashes, including configuring Gin recovery middleware properly. 7. Enable comprehensive monitoring and alerting on the recharge API to detect abnormal request patterns or repeated HTTP 500 errors indicative of exploitation attempts. 8. Conduct regular security audits and penetration testing focused on the CHF recharge service to validate controls and detect potential abuse.