The vulnerability identified as CVE-2026-33062 affects the Network Repository Function (NRF) component of free5GC, an open-source 5G core network implementation. The root cause is improper input validation in the EncodeGroupId function, which processes the group-id-list parameter. Specifically, the function splits the input string and attempts to access array indices [0], [1], and [2] without confirming that the split result contains enough elements. If the input string is malformed and lacks sufficient separator characters, this leads to an 'index out of range' panic, causing the NRF service to crash. Since the NRF is responsible for service discovery within the 5G core network, its unavailability results in a denial of service affecting all dependent network functions. The vulnerability can be triggered remotely via a crafted HTTP GET request without any authentication or user interaction, making exploitation straightforward. The issue affects all free5GC NRF versions prior to 1.4.2, with the vendor releasing version 1.4.2 to address the flaw. No direct application-level workaround exists, but restricting access to the NRF API to trusted sources can reduce exposure. The CVSS 4.0 score of 8.7 reflects the vulnerability's network attack vector, low complexity, no privileges required, and high impact on availability. There are no known exploits in the wild at the time of publication, but the simplicity of triggering the crash suggests a high risk if targeted. This vulnerability falls under CWE-284 (Improper Access Control) due to insufficient validation leading to service disruption.

The primary impact of CVE-2026-33062 is a denial of service condition on the NRF discovery service within free5GC-based 5G core networks. Since the NRF is critical for service discovery and registration of network functions, its unavailability can disrupt the entire 5G core network operation, potentially affecting subscriber connectivity, session management, and network function orchestration. This can lead to widespread service outages, degraded network performance, and loss of revenue for network operators. The vulnerability requires no authentication and can be exploited remotely, increasing the risk of automated or targeted attacks. Organizations relying on free5GC for 5G core deployments, especially those in production environments, face operational risks and potential regulatory compliance issues if network availability is compromised. The lack of a direct application-level workaround means that until patched, networks remain vulnerable unless access controls are strictly enforced. The impact extends beyond individual operators to potentially affect end-users and critical services relying on 5G connectivity.

To mitigate CVE-2026-33062, organizations should immediately upgrade free5GC NRF to version 1.4.2 or later, where the input validation flaw has been corrected. In environments where immediate patching is not feasible, network administrators should implement strict access controls to limit NRF API exposure only to trusted and authenticated sources, such as internal network segments or VPNs. Deploying Web Application Firewalls (WAFs) or API gateways with input validation rules to detect and block malformed group-id-list parameters can provide additional protection. Monitoring NRF service logs and network traffic for unusual or malformed requests targeting the group-id-list parameter can help detect attempted exploitation. Network segmentation and zero-trust principles should be applied to isolate the NRF service from untrusted networks. Finally, organizations should incorporate this vulnerability into their incident response and vulnerability management processes to ensure timely remediation and awareness.