The vulnerability CVE-2026-33062 affects the Network Repository Function (NRF) component of free5GC, an open-source 5G core network implementation. The root cause is improper input validation in the EncodeGroupId function, which processes the group-id-list parameter. Specifically, the function splits the input string and attempts to access array indices [0], [1], and [2] without confirming that the split operation produced enough elements. If an attacker sends a malformed HTTP GET request with a group-id-list parameter containing insufficient separator characters, the function attempts to access out-of-range indices, causing a runtime panic and crashing the NRF service. This crash leads to a complete denial of service for the NRF discovery service, which is critical for 5G core network operations as it manages service discovery and registration. The vulnerability requires no authentication or user interaction and can be triggered remotely over the network. The issue is fixed in free5GC NRF version 1.4.2. Since there is no direct application-level workaround, organizations must either upgrade or restrict access to the NRF API to trusted entities. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no privileges or user interaction required, no confidentiality or integrity impact, but high availability impact due to service crash.

This vulnerability can cause a complete denial of service of the NRF discovery service in free5GC deployments, disrupting critical 5G core network functions such as service discovery and registration. The NRF is a fundamental component in the 5G core architecture, and its unavailability can lead to service outages, degraded network performance, and potential cascading failures in dependent network functions. For telecom operators and enterprises relying on free5GC, this can translate into significant operational disruptions, customer service degradation, and potential financial losses. Since the attack requires no authentication and can be executed remotely, the attack surface is broad, increasing the risk of exploitation. Although no known exploits are reported in the wild yet, the simplicity of triggering the crash makes it a likely target for denial-of-service attacks. The lack of confidentiality or integrity impact limits data breach risks, but the availability impact alone is critical for network reliability and service continuity.

The primary mitigation is to upgrade free5GC NRF to version 1.4.2 or later, where the input validation issue in EncodeGroupId is fixed. Until patching is possible, organizations should implement strict network-level access controls to restrict NRF API access to trusted and authenticated sources only, such as internal network segments or VPNs. Deploying Web Application Firewalls (WAFs) or API gateways that can detect and block malformed requests targeting the group-id-list parameter can provide additional protection. Monitoring NRF service logs and network traffic for unusual or malformed requests can help detect attempted exploitation. Implementing redundancy and failover mechanisms for NRF services can reduce the impact of potential crashes. Finally, integrating this vulnerability into incident response plans and conducting regular security assessments of 5G core components will improve preparedness against denial-of-service attacks.