CVE-2026-5360 is a type confusion vulnerability discovered in Free5GC version 4.2.0, an open-source 5G core network implementation. The vulnerability resides in an unspecified function within the 'aper' component, which likely handles ASN.1 Packed Encoding Rules (APER) encoding/decoding. Type confusion occurs when a program mistakenly treats a piece of memory as a different data type than intended, potentially leading to undefined behavior or memory corruption. This vulnerability can be triggered remotely without requiring authentication or user interaction, but the attack complexity is high, indicating that exploitation demands significant expertise or specific conditions. The CVSS v4.0 score is 6.3 (medium severity), reflecting limited impact on confidentiality, integrity, and availability, and no privilege or user interaction requirements. Although a public exploit has been disclosed, there are no confirmed reports of active exploitation in the wild. The Free5GC project has released a patch (commit 26205eb01705754b7b902ad6c4b613c96c881e29) to address this issue. Given Free5GC's role in 5G core networks, this vulnerability could affect the stability and security of 5G network functions if exploited.

The vulnerability could allow a remote attacker to cause unexpected behavior in Free5GC's 5G core network functions by exploiting type confusion in the 'aper' component. While the direct impact on confidentiality, integrity, and availability is low, successful exploitation might lead to memory corruption, potentially causing service disruptions or enabling further attacks. Given Free5GC's deployment in 5G infrastructure, exploitation could affect mobile network operators relying on this software, potentially disrupting 5G services or degrading network performance. The high attack complexity and lack of known active exploits reduce immediate risk, but the public availability of an exploit increases the threat landscape. Organizations operating Free5GC 4.2.0 should consider the risk of targeted attacks aiming to destabilize 5G core network components.

1. Immediately apply the official patch identified by commit 26205eb01705754b7b902ad6c4b613c96c881e29 to Free5GC version 4.2.0 to remediate the vulnerability. 2. Conduct a thorough code review and testing of the 'aper' component to identify and fix any additional type confusion or memory handling issues. 3. Implement network-level protections such as strict firewall rules and segmentation to limit exposure of Free5GC components to untrusted networks. 4. Monitor Free5GC logs and network traffic for anomalous behavior indicative of exploitation attempts. 5. Regularly update Free5GC and related 5G core network software to the latest stable versions with security fixes. 6. Employ runtime protections such as memory safety tools or sandboxing where feasible to mitigate exploitation impact. 7. Coordinate with 5G infrastructure vendors and security teams to ensure comprehensive defense-in-depth strategies are in place.