The vulnerability description explicitly identifies namespaces() -> get_local_namespaces() as the call chain. The PoC demonstrates exploitation via c2.namespaces(true) on an entity-referenced node. Type confusion occurs when these functions process entity-derived nodes without proper type checks, as entity nodes don't have namespaces but get treated as namespace-capable nodes. The lack of node type validation in these functions is the root cause.