CVE-2026-5360: Free5GC Type Confusion RCE Vulnerability

CVE-2026-5360 Overview

A type confusion vulnerability has been identified in Free5GC version 4.2.0, specifically affecting the APER (Aligned Packed Encoding Rules) component. The vulnerability stems from improper validation of PrintableString data during parsing operations, which can lead to type confusion when processing malformed input. The attack can be launched remotely over the network, though the exploitation complexity is described as high, making successful attacks more difficult to achieve.

Critical Impact
Type confusion in the APER component of Free5GC 4.2.0 may allow remote attackers to cause denial of service conditions through specially crafted network requests targeting the core network infrastructure.

Affected Products

Free5GC version 4.2.0
Free5GC APER component (prior to patch 26205eb01705754b7b902ad6c4b613c96c881e29)

Discovery Timeline

April 2, 2026 - CVE-2026-5360 published to NVD
April 2, 2026 - Last updated in NVD database

Technical Details for CVE-2026-5360

Vulnerability Analysis

This vulnerability is classified as CWE-843 (Access of Resource Using Incompatible Type - Type Confusion). The APER component in Free5GC is responsible for encoding and decoding ASN.1 data structures used in 5G core network communications. The vulnerability exists in the string parsing functionality where PrintableString data was not properly validated against the allowed character set defined in X.680 specification (Table 8).

When processing incoming network data, the parser would accept bytes outside the valid PrintableString character set, potentially leading to type confusion when the data is subsequently used by other components expecting properly validated string data. This could result in unexpected behavior or denial of service conditions within the 5G core network functions.

Root Cause

The root cause lies in the missing validation logic for PrintableString parsing in the aper.go file. Prior to the patch, the parseOctetString function was used directly for PrintableString parsing without verifying that the byte values conform to the PrintableString character set as defined in ITU-T X.680 Section 37.4 Table 8. This allowed invalid byte sequences to be processed and returned as valid strings.

Attack Vector

The attack vector is network-based, requiring an attacker to send specially crafted ASN.1 encoded messages to the Free5GC core network. The attack complexity is high due to:

Requiring knowledge of the ASN.1 structure and APER encoding rules
The need to craft specific malformed PrintableString data that triggers the type confusion
Network access to the Free5GC deployment

The following patch introduces proper PrintableString validation:

func (pd *perBitData) parsePrintableString(extensed bool, lowerBoundPtr *int64, upperBoundPtr *int64) (string, error) {
	octetString, err := pd.parseOctetString(extensed, lowerBoundPtr, upperBoundPtr)
	if err != nil {
		return "", err
	}
	// X.680 37.4 Table 8 – PrintableString
	for i, b := range octetString {
		ok := false
		switch b {
		case 0x20, 0x27, 0x28, 0x29, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x3A, 0x3D, 0x3F:
			ok = true
		default:
			if (b >= '0' && b <= '9') || (b >= 'A' && b <= 'Z') || (b >= 'a' && b <= 'z') {
				ok = true
			}
		}
		if !ok {
			logger.AperLog.Warnf("Invalid PrintableString: illegal byte 0x%02x at pos %d", b, i)
			perTrace(1, "Ignored PrintableString due to illegal byte 0x%02x at pos %d", b, i)
			return "", nil
		}
	}
	return string(octetString), nil
}

Source: GitHub Commit Change

Detection Methods for CVE-2026-5360

Indicators of Compromise

Unusual or malformed ASN.1 encoded messages targeting Free5GC network functions
Error logs containing references to PrintableString parsing failures or invalid byte sequences
Unexpected crashes or restarts of Free5GC APER-dependent services
Network traffic containing non-printable characters in fields expected to contain PrintableString data

Detection Strategies

Monitor Free5GC application logs for warnings related to "Invalid PrintableString" or "illegal byte" patterns
Implement deep packet inspection for ASN.1/APER encoded traffic to detect malformed PrintableString fields
Deploy network-based intrusion detection rules targeting anomalous 5G signaling messages
Enable debug logging in the APER component to capture detailed parsing information during incident investigation

Monitoring Recommendations

Configure alerting on Free5GC service crashes or unexpected restarts that may indicate exploitation attempts
Establish baseline metrics for APER parsing errors and alert on significant deviations
Monitor network interfaces for unusual volumes of malformed 5G protocol messages
Implement centralized log collection for all Free5GC components to enable correlation analysis

How to Mitigate CVE-2026-5360

Immediate Actions Required

Apply the security patch identified by commit 26205eb01705754b7b902ad6c4b613c96c881e29 to the APER component
Review and update Free5GC deployments to include the patched APER library
Audit network access controls to limit exposure of Free5GC core network functions to trusted sources only
Enable enhanced logging on affected systems to detect potential exploitation attempts

Patch Information

The vulnerability has been addressed through Pull Request #11 in the Free5GC APER repository. The patch introduces the parsePrintableString function that validates each byte against the allowed character set defined in X.680 Table 8 before accepting the string. The fix is available in commit 26205eb01705754b7b902ad6c4b613c96c881e29.

For additional context, refer to GitHub Issue #831 in the main Free5GC repository.

Workarounds

Implement network segmentation to restrict access to Free5GC interfaces from untrusted networks
Deploy a Web Application Firewall (WAF) or network filter capable of inspecting and blocking malformed ASN.1 traffic
Configure rate limiting on network interfaces handling 5G signaling to reduce the impact of potential attacks
Monitor and restart affected services automatically upon detecting anomalous behavior

bash

# Configuration example - Verify the APER component version contains the fix
cd /path/to/free5gc/aper
git log --oneline | grep 26205eb

# If patch is not present, update the APER component
git fetch origin
git checkout 26205eb01705754b7b902ad6c4b613c96c881e29

# Rebuild Free5GC with the patched APER library
cd /path/to/free5gc
make clean && make

CVE-2026-5360 Overview

Critical Impact
Type confusion in the APER component of Free5GC 4.2.0 may allow remote attackers to cause denial of service conditions through specially crafted network requests targeting the core network infrastructure.

Affected Products

Free5GC version 4.2.0
Free5GC APER component (prior to patch 26205eb01705754b7b902ad6c4b613c96c881e29)

Discovery Timeline

April 2, 2026 - CVE-2026-5360 published to NVD
April 2, 2026 - Last updated in NVD database

Technical Details for CVE-2026-5360

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector is network-based, requiring an attacker to send specially crafted ASN.1 encoded messages to the Free5GC core network. The attack complexity is high due to:

Requiring knowledge of the ASN.1 structure and APER encoding rules
The need to craft specific malformed PrintableString data that triggers the type confusion
Network access to the Free5GC deployment

The following patch introduces proper PrintableString validation:

func (pd *perBitData) parsePrintableString(extensed bool, lowerBoundPtr *int64, upperBoundPtr *int64) (string, error) {
	octetString, err := pd.parseOctetString(extensed, lowerBoundPtr, upperBoundPtr)
	if err != nil {
		return "", err
	}
	// X.680 37.4 Table 8 – PrintableString
	for i, b := range octetString {
		ok := false
		switch b {
		case 0x20, 0x27, 0x28, 0x29, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x3A, 0x3D, 0x3F:
			ok = true
		default:
			if (b >= '0' && b <= '9') || (b >= 'A' && b <= 'Z') || (b >= 'a' && b <= 'z') {
				ok = true
			}
		}
		if !ok {
			logger.AperLog.Warnf("Invalid PrintableString: illegal byte 0x%02x at pos %d", b, i)
			perTrace(1, "Ignored PrintableString due to illegal byte 0x%02x at pos %d", b, i)
			return "", nil
		}
	}
	return string(octetString), nil
}

Source: GitHub Commit Change

Detection Methods for CVE-2026-5360

Indicators of Compromise

Unusual or malformed ASN.1 encoded messages targeting Free5GC network functions
Error logs containing references to PrintableString parsing failures or invalid byte sequences
Unexpected crashes or restarts of Free5GC APER-dependent services
Network traffic containing non-printable characters in fields expected to contain PrintableString data

Detection Strategies

Monitor Free5GC application logs for warnings related to "Invalid PrintableString" or "illegal byte" patterns
Implement deep packet inspection for ASN.1/APER encoded traffic to detect malformed PrintableString fields
Deploy network-based intrusion detection rules targeting anomalous 5G signaling messages
Enable debug logging in the APER component to capture detailed parsing information during incident investigation

Monitoring Recommendations

Configure alerting on Free5GC service crashes or unexpected restarts that may indicate exploitation attempts
Establish baseline metrics for APER parsing errors and alert on significant deviations
Monitor network interfaces for unusual volumes of malformed 5G protocol messages
Implement centralized log collection for all Free5GC components to enable correlation analysis

How to Mitigate CVE-2026-5360

Immediate Actions Required

Apply the security patch identified by commit 26205eb01705754b7b902ad6c4b613c96c881e29 to the APER component
Review and update Free5GC deployments to include the patched APER library
Audit network access controls to limit exposure of Free5GC core network functions to trusted sources only
Enable enhanced logging on affected systems to detect potential exploitation attempts

Patch Information

For additional context, refer to GitHub Issue #831 in the main Free5GC repository.

Workarounds

Implement network segmentation to restrict access to Free5GC interfaces from untrusted networks
Deploy a Web Application Firewall (WAF) or network filter capable of inspecting and blocking malformed ASN.1 traffic
Configure rate limiting on network interfaces handling 5G signaling to reduce the impact of potential attacks
Monitor and restart affected services automatically upon detecting anomalous behavior

bash

# Configuration example - Verify the APER component version contains the fix
cd /path/to/free5gc/aper
git log --oneline | grep 26205eb

# If patch is not present, update the APER component
git fetch origin
git checkout 26205eb01705754b7b902ad6c4b613c96c881e29

# Rebuild Free5GC with the patched APER library
cd /path/to/free5gc
make clean && make

CVE-2026-5360: Free5GC Type Confusion RCE Vulnerability

CVE-2026-5360 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5360

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5360

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5360

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-5360: Free5GC Type Confusion RCE Vulnerability

CVE-2026-5360 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5360

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5360

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5360

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform