Free5gc CVE-2026-5360

Q: What is the CVSS score of CVE-2026-5360?

CVE-2026-5360 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-18414 LOW

Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)

2026-04-02 cna@vuldb.com

GHSA-qpxw-qvw5-7292

Information Disclosure Memory Corruption Free5gc

2.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.9 LOW

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.3 (MEDIUM) 2.9 (LOW)

EUVD ID Assigned

Apr 02, 2026 - 17:22 euvd

EUVD-2026-18414

Analysis Generated

Apr 02, 2026 - 17:22 vuln.today

CVE Published

Apr 02, 2026 - 17:16 nvd

MEDIUM 6.3

DescriptionCVE.org

A vulnerability has been found in Free5GC 4.2.0. The affected element is an unknown function of the component aper. Such manipulation leads to type confusion. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 26205eb01705754b7b902ad6c4b613c96c881e29. It is best practice to apply a patch to resolve this issue.

AnalysisAI

Type confusion in Free5GC 4.2.0's aper component allows remote attackers to trigger memory corruption and information disclosure with high attack complexity and without authentication. The vulnerability stems from improper type handling in ASN.1 parsing and has publicly available exploit code, though active exploitation at scale has not been confirmed. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 4.0 vector indicates unauthenticated remote exploitation (PR:N, UI:N) with high attack complexity (AC:H) and notable constraints: availability impact (VA:L) is present, but confidentiality and integrity impacts are assessed as none (VC:N, VI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a specially crafted 5G protocol message (encoded in ASN.1 PER format) to a Free5GC core network element (such as the AMF, SMF, or UPF) that handles aper-encoded N1/N2/N3 interface messages. The malformed message triggers type confusion in the aper decoder, causing it to misinterpret a crafted field as a different data structure. …
Remediation	Upstream fix available in commit 26205eb01705754b7b902ad6c4b613c96c881e29 (referenced as PR #11 to the aper repository). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5360 vulnerability details – vuln.today

Back