Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    10 vulnerabilities by The Libreswan Project

    CVE-2026-50722 (GCVE-0-2026-50722)

    Vulnerability from nvd – Published: 2026-07-02 21:34 – Updated: 2026-07-02 21:34
    VLAI
    Title
    IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload
    Summary
    Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    • CWE-617 - Reachable Assertion
    Assigner
    Impacted products
    Vendor Product Version
    The Libreswan Project libreswan Affected: 0 , ≤ 5.3 (semver)
    Unaffected: 5.3.1 (semver)
    Create a notification for this product.
    Credits
    Yeonghyeon Choi Duyeong Kim Andrew Cagney (The Libreswan Team)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/libreswan/libreswan",
              "defaultStatus": "unaffected",
              "packageName": "libreswan",
              "product": "libreswan",
              "programRoutines": [
                {
                  "name": "RSA_authenticate_hash_signature_pkcs1_1_5_rsa"
                }
              ],
              "repo": "https://github.com/libreswan/libreswan",
              "vendor": "The Libreswan Project",
              "versions": [
                {
                  "lessThanOrEqual": "5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Any server or client that accepts RSA-based IKEv2 connections via the default authby= settings is vulnerable to denial of service. Authentication bypass additionally requires the use of RSA keys with weak exponents (e=3). IKEv2 by default allows ECDSA, RSA-SSA-PSS, and RSA PKCS#1 1.5 as fallback due to Microsoft Windows not supporting RSASSA-PSS."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yeonghyeon Choi"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Duyeong Kim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Andrew Cagney (The Libreswan Team)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eLibreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.\u003c/p\u003e"
                }
              ],
              "value": "Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "No known exploitation in the wild. The authentication bypass requires the target to use RSA keys with weak exponents (e=3), which have been disallowed by most cryptographic libraries for at least a decade. The denial-of-service attack is exploitable against any IKEv2 configuration using default authby= settings that permit RSA PKCS#1 v1.5 fallback."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-463",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Denial of Service via assertion failure in pluto daemon when processing malformed RSA PKCS#1 v1.5 AUTH payloads"
                }
              ]
            },
            {
              "capecId": "CAPEC-473",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Authentication bypass via Bleichenbacher-style signature forgery when weak RSA exponents (e.g., e=3) are in use"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Weak RSA exponent (e=3) in use, enabling Bleichenbacher signature forgery"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "description": "Vendor-assessed severity: Medium. Authentication bypass requires weak RSA exponents (e=3) which have been disallowed by most cryptographic libraries for over a decade. DoS is mitigated by automatic daemon restart.",
                  "value": "MEDIUM"
                },
                "type": "vendorSeverity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T21:34:41.413Z",
            "orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
            "shortName": "libreswan"
          },
          "references": [
            {
              "name": "Libreswan Security Advisory CVE-2026-50722",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt"
            },
            {
              "name": "Libreswan CVE-2026-50722 Patches",
              "tags": [
                "patch"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50722/"
            },
            {
              "name": "Related: CVE-2026-50721 (IKEv1 variant)",
              "tags": [
                "related"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt"
            },
            {
              "name": "RFC 8017 - PKCS #1: RSA Cryptography Specifications Version 2.2",
              "tags": [
                "technical-description"
              ],
              "url": "https://www.rfc-editor.org/rfc/rfc8017"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at \u003ca href=\"https://libreswan.org/security/CVE-2026-50722/\"\u003ehttps://libreswan.org/security/CVE-2026-50722/\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org/security/CVE-2026-50722/"
            }
          ],
          "source": {
            "defects": [
              "CVE-2026-50722"
            ],
            "discovery": "EXTERNAL"
          },
          "taxonomyMappings": [
            {
              "taxonomyName": "ATT\u0026CK",
              "taxonomyRelations": [
                {
                  "relationshipName": "maps to",
                  "relationshipValue": "Application or System Exploitation (DoS)",
                  "taxonomyId": "T1499.004"
                }
              ],
              "taxonomyVersion": "15.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T00:00:00.000Z",
              "value": "Libreswan notified of the issue via security@libreswan.org"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Advanced notice given to supported customers and distributions"
            },
            {
              "lang": "en",
              "time": "2026-06-24T00:00:00.000Z",
              "value": "Public announcement and release of libreswan 5.3.1"
            }
          ],
          "title": "IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIf Windows support is not needed, configure \u003ccode\u003eauthby=ecdsa\u003c/code\u003e or \u003ccode\u003eauthby=rsa-sha2\u003c/code\u003e (or both via \u003ccode\u003eauthby=ecdsa,rsa-sha2\u003c/code\u003e) to disallow the fallback of RSA PKCS#1 1.5. The \u003ccode\u003eleftauth=\u003c/code\u003e and \u003ccode\u003erightauth=\u003c/code\u003e settings can be updated similarly if those are in use instead of \u003ccode\u003eauthby\u003c/code\u003e.\u003c/p\u003e"
                }
              ],
              "value": "If Windows support is not needed, configure authby=ecdsa or authby=rsa-sha2 (or both via authby=ecdsa,rsa-sha2) to disallow the fallback of RSA PKCS#1 1.5. The leftauth= and rightauth= settings can be updated similarly if those are in use instead of authby."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
        "assignerShortName": "libreswan",
        "cveId": "CVE-2026-50722",
        "datePublished": "2026-07-02T21:34:41.413Z",
        "dateReserved": "2026-06-05T16:10:05.751Z",
        "dateUpdated": "2026-07-02T21:34:41.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50721 (GCVE-0-2026-50721)

    Vulnerability from nvd – Published: 2026-07-02 21:44 – Updated: 2026-07-02 21:44
    VLAI
    Title
    IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload
    Summary
    Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    • CWE-617 - Reachable Assertion
    Assigner
    Impacted products
    Vendor Product Version
    The Libreswan Project libreswan Affected: 0 , ≤ 5.3 (semver)
    Unaffected: 5.3.1 (semver)
    Create a notification for this product.
    Credits
    Yeonghyeon Choi Duyeong Kim Andrew Cagney (The Libreswan Team)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/libreswan/libreswan",
              "defaultStatus": "unaffected",
              "packageName": "libreswan",
              "product": "libreswan",
              "programRoutines": [
                {
                  "name": "RSA_authenticate_hash_signature_raw_rsa"
                }
              ],
              "repo": "https://github.com/libreswan/libreswan",
              "vendor": "The Libreswan Project",
              "versions": [
                {
                  "lessThanOrEqual": "5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Any server or client that accepts RSA-based IKEv1 connections via the default authby=rsasig option is vulnerable to denial of service. Authentication bypass additionally requires the use of RSA keys with weak exponents (e=3). IKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) for public key authentication, so the vulnerable code path cannot be disabled without migrating to IKEv2 or switching to PSK."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yeonghyeon Choi"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Duyeong Kim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Andrew Cagney (The Libreswan Team)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eLibreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.\u003c/p\u003e"
                }
              ],
              "value": "Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "No known exploitation in the wild. The authentication bypass requires the target to use RSA keys with weak exponents (e=3), which have been disallowed by most cryptographic libraries for at least a decade. The denial-of-service attack is exploitable against any IKEv1 configuration using the default authby=rsasig option."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-463",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Denial of Service via assertion failure in pluto daemon when processing malformed RSA PKCS#1 v1.5 SIG payloads in IKEv1"
                }
              ]
            },
            {
              "capecId": "CAPEC-473",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Authentication bypass via Bleichenbacher-style signature forgery when weak RSA exponents (e.g., e=3) are in use"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Weak RSA exponent (e=3) in use, enabling Bleichenbacher signature forgery"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "description": "Vendor-assessed severity: Medium. Authentication bypass requires weak RSA exponents (e=3) which have been disallowed by most cryptographic libraries for over a decade. DoS is mitigated by automatic daemon restart.",
                  "value": "MEDIUM"
                },
                "type": "vendorSeverity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T21:44:09.423Z",
            "orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
            "shortName": "libreswan"
          },
          "references": [
            {
              "name": "Libreswan Security Advisory CVE-2026-50721",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt"
            },
            {
              "name": "Libreswan CVE-2026-50721 Patches",
              "tags": [
                "patch"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50721/"
            },
            {
              "name": "Related: CVE-2026-50722 (IKEv2 variant)",
              "tags": [
                "related"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt"
            },
            {
              "name": "RFC 2313 - PKCS #1: RSA Encryption Version 1.5",
              "tags": [
                "technical-description"
              ],
              "url": "https://www.rfc-editor.org/rfc/rfc2313"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at \u003ca href=\"https://libreswan.org/security/CVE-2026-50721/\"\u003ehttps://libreswan.org/security/CVE-2026-50721/\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org/security/CVE-2026-50721/"
            }
          ],
          "source": {
            "defects": [
              "CVE-2026-50721"
            ],
            "discovery": "EXTERNAL"
          },
          "taxonomyMappings": [
            {
              "taxonomyName": "ATT\u0026CK",
              "taxonomyRelations": [
                {
                  "relationshipName": "maps to",
                  "relationshipValue": "Application or System Exploitation (DoS)",
                  "taxonomyId": "T1499.004"
                }
              ],
              "taxonomyVersion": "15.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T00:00:00.000Z",
              "value": "Libreswan notified of the issue via security@libreswan.org"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Advanced notice given to supported customers and distributions"
            },
            {
              "lang": "en",
              "time": "2026-06-24T00:00:00.000Z",
              "value": "Public announcement and release of libreswan 5.3.1"
            }
          ],
          "title": "IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) with public key authentication, so there is no way to disable the vulnerable code path within IKEv1. Migrate IKEv1 connections to IKEv2 where \u003ccode\u003eauthby=ecdsa\u003c/code\u003e or \u003ccode\u003eauthby=rsa-sha2\u003c/code\u003e can be configured. For static tunnel configurations (not Remote Access VPN Client groups), authentication can be changed to use PSK via \u003ccode\u003eauthby=secret\u003c/code\u003e after coordination with the remote peer.\u003c/p\u003e"
                }
              ],
              "value": "IKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) with public key authentication, so there is no way to disable the vulnerable code path within IKEv1. Migrate IKEv1 connections to IKEv2 where authby=ecdsa or authby=rsa-sha2 can be configured. For static tunnel configurations (not Remote Access VPN Client groups), authentication can be changed to use PSK via authby=secret after coordination with the remote peer."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
        "assignerShortName": "libreswan",
        "cveId": "CVE-2026-50721",
        "datePublished": "2026-07-02T21:44:09.423Z",
        "dateReserved": "2026-06-05T16:10:05.751Z",
        "dateUpdated": "2026-07-02T21:44:09.423Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12413 (GCVE-0-2026-12413)

    Vulnerability from nvd – Published: 2026-07-02 21:19 – Updated: 2026-07-02 21:19
    VLAI
    Title
    IKEv2 Denial of Service via malformed fragmentation
    Summary
    An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    The Libreswan Project libreswan Affected: 4.6 , ≤ 5.3 (semver)
    Unaffected: 5.3.1 (semver)
    Create a notification for this product.
    Credits
    Hu Xinyao
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "libreswan",
              "vendor": "The Libreswan Project",
              "versions": [
                {
                  "lessThanOrEqual": "5.3",
                  "status": "affected",
                  "version": "4.6",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hu Xinyao"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md-\u003edigest_roof \u003c elemsof(md-\u003edigest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "description": "Vendor-assessed severity. The daemon automatically restarts after the crash, requiring continued exploitation for sustained denial of service.",
                  "value": "MEDIUM"
                },
                "type": "vendorSeverity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-193",
                  "description": "Off-by-one Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T21:19:22.177Z",
            "orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
            "shortName": "libreswan"
          },
          "references": [
            {
              "name": "Libreswan Security Advisory",
              "url": "https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt"
            },
            {
              "name": "Libreswan CVE-2026-12413 Patches",
              "url": "https://libreswan.org/security/CVE-2026-12413/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Libreswan notified of the issue via security@libreswan.org"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Advanced notice given to supported customers and distributions"
            },
            {
              "lang": "en",
              "time": "2026-06-24T00:00:00.000Z",
              "value": "Public announcement and release of libreswan 5.3.1"
            }
          ],
          "title": "IKEv2 Denial of Service via malformed fragmentation",
          "workarounds": [
            {
              "lang": "en",
              "value": "If fragmentation is not needed, fragmentation=no can be added to all IKEv2 configurations. If fragmentation is needed, no workaround is possible and the fix needs to be applied."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
        "assignerShortName": "libreswan",
        "cveId": "CVE-2026-12413",
        "datePublished": "2026-07-02T21:19:22.177Z",
        "dateReserved": "2026-06-16T15:52:12.674Z",
        "dateUpdated": "2026-07-02T21:19:22.177Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-1763 (GCVE-0-2020-1763)

    Vulnerability from nvd – Published: 2020-05-12 13:41 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    the libreswan Project libreswan Affected: from versions 3.27 till 3.31
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8"
              },
              {
                "name": "DSA-4684",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2020/dsa-4684"
              },
              {
                "name": "GLSA-202007-21",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202007-21"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libreswan",
              "vendor": "the libreswan Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "from versions 3.27 till 3.31"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-12T05:48:52.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8"
            },
            {
              "name": "DSA-4684",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4684"
            },
            {
              "name": "GLSA-202007-21",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202007-21"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1763",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "libreswan",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "from versions 3.27 till 3.31"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "the libreswan Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-125"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt",
                  "refsource": "CONFIRM",
                  "url": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329"
                },
                {
                  "name": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8"
                },
                {
                  "name": "DSA-4684",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2020/dsa-4684"
                },
                {
                  "name": "GLSA-202007-21",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/202007-21"
                },
                {
                  "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"
                },
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1763",
        "datePublished": "2020-05-12T13:41:20.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.902Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10155 (GCVE-0-2019-10155)

    Vulnerability from nvd – Published: 2019-06-12 13:51 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29.
    CWE
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:09.974Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://libreswan.org/security/CVE-2019-10155/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155"
              },
              {
                "name": "FEDORA-2019-f7fb531958",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFGPGLLKAXSLWFI62A6BZHTZSCHRCBXS/"
              },
              {
                "name": "FEDORA-2019-1bd9cfb718",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUEXFCN7FAYBKJBQJLYCEUQUCHDEJRZW/"
              },
              {
                "name": "RHSA-2019:3391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3391"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libreswan",
              "vendor": "the libreswan Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.29"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-354",
                  "description": "CWE-354",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-11-06T00:07:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://libreswan.org/security/CVE-2019-10155/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155"
            },
            {
              "name": "FEDORA-2019-f7fb531958",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFGPGLLKAXSLWFI62A6BZHTZSCHRCBXS/"
            },
            {
              "name": "FEDORA-2019-1bd9cfb718",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUEXFCN7FAYBKJBQJLYCEUQUCHDEJRZW/"
            },
            {
              "name": "RHSA-2019:3391",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3391"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2019-10155",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "libreswan",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.29"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "the libreswan Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "3.1/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-354"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://libreswan.org/security/CVE-2019-10155/",
                  "refsource": "MISC",
                  "url": "https://libreswan.org/security/CVE-2019-10155/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155"
                },
                {
                  "name": "FEDORA-2019-f7fb531958",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LFGPGLLKAXSLWFI62A6BZHTZSCHRCBXS/"
                },
                {
                  "name": "FEDORA-2019-1bd9cfb718",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EUEXFCN7FAYBKJBQJLYCEUQUCHDEJRZW/"
                },
                {
                  "name": "RHSA-2019:3391",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3391"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10155",
        "datePublished": "2019-06-12T13:51:01.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:09.974Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-50721 (GCVE-0-2026-50721)

    Vulnerability from cvelistv5 – Published: 2026-07-02 21:44 – Updated: 2026-07-02 21:44
    VLAI
    Title
    IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload
    Summary
    Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    • CWE-617 - Reachable Assertion
    Assigner
    Impacted products
    Vendor Product Version
    The Libreswan Project libreswan Affected: 0 , ≤ 5.3 (semver)
    Unaffected: 5.3.1 (semver)
    Create a notification for this product.
    Credits
    Yeonghyeon Choi Duyeong Kim Andrew Cagney (The Libreswan Team)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/libreswan/libreswan",
              "defaultStatus": "unaffected",
              "packageName": "libreswan",
              "product": "libreswan",
              "programRoutines": [
                {
                  "name": "RSA_authenticate_hash_signature_raw_rsa"
                }
              ],
              "repo": "https://github.com/libreswan/libreswan",
              "vendor": "The Libreswan Project",
              "versions": [
                {
                  "lessThanOrEqual": "5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Any server or client that accepts RSA-based IKEv1 connections via the default authby=rsasig option is vulnerable to denial of service. Authentication bypass additionally requires the use of RSA keys with weak exponents (e=3). IKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) for public key authentication, so the vulnerable code path cannot be disabled without migrating to IKEv2 or switching to PSK."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yeonghyeon Choi"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Duyeong Kim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Andrew Cagney (The Libreswan Team)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eLibreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.\u003c/p\u003e"
                }
              ],
              "value": "Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "No known exploitation in the wild. The authentication bypass requires the target to use RSA keys with weak exponents (e=3), which have been disallowed by most cryptographic libraries for at least a decade. The denial-of-service attack is exploitable against any IKEv1 configuration using the default authby=rsasig option."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-463",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Denial of Service via assertion failure in pluto daemon when processing malformed RSA PKCS#1 v1.5 SIG payloads in IKEv1"
                }
              ]
            },
            {
              "capecId": "CAPEC-473",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Authentication bypass via Bleichenbacher-style signature forgery when weak RSA exponents (e.g., e=3) are in use"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Weak RSA exponent (e=3) in use, enabling Bleichenbacher signature forgery"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "description": "Vendor-assessed severity: Medium. Authentication bypass requires weak RSA exponents (e=3) which have been disallowed by most cryptographic libraries for over a decade. DoS is mitigated by automatic daemon restart.",
                  "value": "MEDIUM"
                },
                "type": "vendorSeverity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T21:44:09.423Z",
            "orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
            "shortName": "libreswan"
          },
          "references": [
            {
              "name": "Libreswan Security Advisory CVE-2026-50721",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt"
            },
            {
              "name": "Libreswan CVE-2026-50721 Patches",
              "tags": [
                "patch"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50721/"
            },
            {
              "name": "Related: CVE-2026-50722 (IKEv2 variant)",
              "tags": [
                "related"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt"
            },
            {
              "name": "RFC 2313 - PKCS #1: RSA Encryption Version 1.5",
              "tags": [
                "technical-description"
              ],
              "url": "https://www.rfc-editor.org/rfc/rfc2313"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at \u003ca href=\"https://libreswan.org/security/CVE-2026-50721/\"\u003ehttps://libreswan.org/security/CVE-2026-50721/\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org/security/CVE-2026-50721/"
            }
          ],
          "source": {
            "defects": [
              "CVE-2026-50721"
            ],
            "discovery": "EXTERNAL"
          },
          "taxonomyMappings": [
            {
              "taxonomyName": "ATT\u0026CK",
              "taxonomyRelations": [
                {
                  "relationshipName": "maps to",
                  "relationshipValue": "Application or System Exploitation (DoS)",
                  "taxonomyId": "T1499.004"
                }
              ],
              "taxonomyVersion": "15.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T00:00:00.000Z",
              "value": "Libreswan notified of the issue via security@libreswan.org"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Advanced notice given to supported customers and distributions"
            },
            {
              "lang": "en",
              "time": "2026-06-24T00:00:00.000Z",
              "value": "Public announcement and release of libreswan 5.3.1"
            }
          ],
          "title": "IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) with public key authentication, so there is no way to disable the vulnerable code path within IKEv1. Migrate IKEv1 connections to IKEv2 where \u003ccode\u003eauthby=ecdsa\u003c/code\u003e or \u003ccode\u003eauthby=rsa-sha2\u003c/code\u003e can be configured. For static tunnel configurations (not Remote Access VPN Client groups), authentication can be changed to use PSK via \u003ccode\u003eauthby=secret\u003c/code\u003e after coordination with the remote peer.\u003c/p\u003e"
                }
              ],
              "value": "IKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) with public key authentication, so there is no way to disable the vulnerable code path within IKEv1. Migrate IKEv1 connections to IKEv2 where authby=ecdsa or authby=rsa-sha2 can be configured. For static tunnel configurations (not Remote Access VPN Client groups), authentication can be changed to use PSK via authby=secret after coordination with the remote peer."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
        "assignerShortName": "libreswan",
        "cveId": "CVE-2026-50721",
        "datePublished": "2026-07-02T21:44:09.423Z",
        "dateReserved": "2026-06-05T16:10:05.751Z",
        "dateUpdated": "2026-07-02T21:44:09.423Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50722 (GCVE-0-2026-50722)

    Vulnerability from cvelistv5 – Published: 2026-07-02 21:34 – Updated: 2026-07-02 21:34
    VLAI
    Title
    IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload
    Summary
    Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    • CWE-617 - Reachable Assertion
    Assigner
    Impacted products
    Vendor Product Version
    The Libreswan Project libreswan Affected: 0 , ≤ 5.3 (semver)
    Unaffected: 5.3.1 (semver)
    Create a notification for this product.
    Credits
    Yeonghyeon Choi Duyeong Kim Andrew Cagney (The Libreswan Team)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/libreswan/libreswan",
              "defaultStatus": "unaffected",
              "packageName": "libreswan",
              "product": "libreswan",
              "programRoutines": [
                {
                  "name": "RSA_authenticate_hash_signature_pkcs1_1_5_rsa"
                }
              ],
              "repo": "https://github.com/libreswan/libreswan",
              "vendor": "The Libreswan Project",
              "versions": [
                {
                  "lessThanOrEqual": "5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Any server or client that accepts RSA-based IKEv2 connections via the default authby= settings is vulnerable to denial of service. Authentication bypass additionally requires the use of RSA keys with weak exponents (e=3). IKEv2 by default allows ECDSA, RSA-SSA-PSS, and RSA PKCS#1 1.5 as fallback due to Microsoft Windows not supporting RSASSA-PSS."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yeonghyeon Choi"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Duyeong Kim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Andrew Cagney (The Libreswan Team)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eLibreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.\u003c/p\u003e"
                }
              ],
              "value": "Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "No known exploitation in the wild. The authentication bypass requires the target to use RSA keys with weak exponents (e=3), which have been disallowed by most cryptographic libraries for at least a decade. The denial-of-service attack is exploitable against any IKEv2 configuration using default authby= settings that permit RSA PKCS#1 v1.5 fallback."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-463",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Denial of Service via assertion failure in pluto daemon when processing malformed RSA PKCS#1 v1.5 AUTH payloads"
                }
              ]
            },
            {
              "capecId": "CAPEC-473",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Authentication bypass via Bleichenbacher-style signature forgery when weak RSA exponents (e.g., e=3) are in use"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Weak RSA exponent (e=3) in use, enabling Bleichenbacher signature forgery"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "description": "Vendor-assessed severity: Medium. Authentication bypass requires weak RSA exponents (e=3) which have been disallowed by most cryptographic libraries for over a decade. DoS is mitigated by automatic daemon restart.",
                  "value": "MEDIUM"
                },
                "type": "vendorSeverity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T21:34:41.413Z",
            "orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
            "shortName": "libreswan"
          },
          "references": [
            {
              "name": "Libreswan Security Advisory CVE-2026-50722",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt"
            },
            {
              "name": "Libreswan CVE-2026-50722 Patches",
              "tags": [
                "patch"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50722/"
            },
            {
              "name": "Related: CVE-2026-50721 (IKEv1 variant)",
              "tags": [
                "related"
              ],
              "url": "https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt"
            },
            {
              "name": "RFC 8017 - PKCS #1: RSA Cryptography Specifications Version 2.2",
              "tags": [
                "technical-description"
              ],
              "url": "https://www.rfc-editor.org/rfc/rfc8017"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at \u003ca href=\"https://libreswan.org/security/CVE-2026-50722/\"\u003ehttps://libreswan.org/security/CVE-2026-50722/\u003c/a\u003e\u003c/p\u003e"
                }
              ],
              "value": "Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org/security/CVE-2026-50722/"
            }
          ],
          "source": {
            "defects": [
              "CVE-2026-50722"
            ],
            "discovery": "EXTERNAL"
          },
          "taxonomyMappings": [
            {
              "taxonomyName": "ATT\u0026CK",
              "taxonomyRelations": [
                {
                  "relationshipName": "maps to",
                  "relationshipValue": "Application or System Exploitation (DoS)",
                  "taxonomyId": "T1499.004"
                }
              ],
              "taxonomyVersion": "15.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T00:00:00.000Z",
              "value": "Libreswan notified of the issue via security@libreswan.org"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Advanced notice given to supported customers and distributions"
            },
            {
              "lang": "en",
              "time": "2026-06-24T00:00:00.000Z",
              "value": "Public announcement and release of libreswan 5.3.1"
            }
          ],
          "title": "IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIf Windows support is not needed, configure \u003ccode\u003eauthby=ecdsa\u003c/code\u003e or \u003ccode\u003eauthby=rsa-sha2\u003c/code\u003e (or both via \u003ccode\u003eauthby=ecdsa,rsa-sha2\u003c/code\u003e) to disallow the fallback of RSA PKCS#1 1.5. The \u003ccode\u003eleftauth=\u003c/code\u003e and \u003ccode\u003erightauth=\u003c/code\u003e settings can be updated similarly if those are in use instead of \u003ccode\u003eauthby\u003c/code\u003e.\u003c/p\u003e"
                }
              ],
              "value": "If Windows support is not needed, configure authby=ecdsa or authby=rsa-sha2 (or both via authby=ecdsa,rsa-sha2) to disallow the fallback of RSA PKCS#1 1.5. The leftauth= and rightauth= settings can be updated similarly if those are in use instead of authby."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
        "assignerShortName": "libreswan",
        "cveId": "CVE-2026-50722",
        "datePublished": "2026-07-02T21:34:41.413Z",
        "dateReserved": "2026-06-05T16:10:05.751Z",
        "dateUpdated": "2026-07-02T21:34:41.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12413 (GCVE-0-2026-12413)

    Vulnerability from cvelistv5 – Published: 2026-07-02 21:19 – Updated: 2026-07-02 21:19
    VLAI
    Title
    IKEv2 Denial of Service via malformed fragmentation
    Summary
    An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    The Libreswan Project libreswan Affected: 4.6 , ≤ 5.3 (semver)
    Unaffected: 5.3.1 (semver)
    Create a notification for this product.
    Credits
    Hu Xinyao
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "libreswan",
              "vendor": "The Libreswan Project",
              "versions": [
                {
                  "lessThanOrEqual": "5.3",
                  "status": "affected",
                  "version": "4.6",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.3.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hu Xinyao"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md-\u003edigest_roof \u003c elemsof(md-\u003edigest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "description": "Vendor-assessed severity. The daemon automatically restarts after the crash, requiring continued exploitation for sustained denial of service.",
                  "value": "MEDIUM"
                },
                "type": "vendorSeverity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-193",
                  "description": "Off-by-one Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T21:19:22.177Z",
            "orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
            "shortName": "libreswan"
          },
          "references": [
            {
              "name": "Libreswan Security Advisory",
              "url": "https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt"
            },
            {
              "name": "Libreswan CVE-2026-12413 Patches",
              "url": "https://libreswan.org/security/CVE-2026-12413/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Libreswan notified of the issue via security@libreswan.org"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Advanced notice given to supported customers and distributions"
            },
            {
              "lang": "en",
              "time": "2026-06-24T00:00:00.000Z",
              "value": "Public announcement and release of libreswan 5.3.1"
            }
          ],
          "title": "IKEv2 Denial of Service via malformed fragmentation",
          "workarounds": [
            {
              "lang": "en",
              "value": "If fragmentation is not needed, fragmentation=no can be added to all IKEv2 configurations. If fragmentation is needed, no workaround is possible and the fix needs to be applied."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
        "assignerShortName": "libreswan",
        "cveId": "CVE-2026-12413",
        "datePublished": "2026-07-02T21:19:22.177Z",
        "dateReserved": "2026-06-16T15:52:12.674Z",
        "dateUpdated": "2026-07-02T21:19:22.177Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-1763 (GCVE-0-2020-1763)

    Vulnerability from cvelistv5 – Published: 2020-05-12 13:41 – Updated: 2024-08-04 06:46
    VLAI
    Summary
    An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    the libreswan Project libreswan Affected: from versions 3.27 till 3.31
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T06:46:30.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8"
              },
              {
                "name": "DSA-4684",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2020/dsa-4684"
              },
              {
                "name": "GLSA-202007-21",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202007-21"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libreswan",
              "vendor": "the libreswan Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "from versions 3.27 till 3.31"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-12T05:48:52.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8"
            },
            {
              "name": "DSA-4684",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4684"
            },
            {
              "name": "GLSA-202007-21",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202007-21"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-1763",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "libreswan",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "from versions 3.27 till 3.31"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "the libreswan Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-125"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt",
                  "refsource": "CONFIRM",
                  "url": "https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813329"
                },
                {
                  "name": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8"
                },
                {
                  "name": "DSA-4684",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2020/dsa-4684"
                },
                {
                  "name": "GLSA-202007-21",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/202007-21"
                },
                {
                  "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf"
                },
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-1763",
        "datePublished": "2020-05-12T13:41:20.000Z",
        "dateReserved": "2019-11-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T06:46:30.902Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10155 (GCVE-0-2019-10155)

    Vulnerability from cvelistv5 – Published: 2019-06-12 13:51 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29.
    CWE
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:09.974Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://libreswan.org/security/CVE-2019-10155/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155"
              },
              {
                "name": "FEDORA-2019-f7fb531958",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFGPGLLKAXSLWFI62A6BZHTZSCHRCBXS/"
              },
              {
                "name": "FEDORA-2019-1bd9cfb718",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUEXFCN7FAYBKJBQJLYCEUQUCHDEJRZW/"
              },
              {
                "name": "RHSA-2019:3391",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3391"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libreswan",
              "vendor": "the libreswan Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.29"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-354",
                  "description": "CWE-354",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-11-06T00:07:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://libreswan.org/security/CVE-2019-10155/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155"
            },
            {
              "name": "FEDORA-2019-f7fb531958",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFGPGLLKAXSLWFI62A6BZHTZSCHRCBXS/"
            },
            {
              "name": "FEDORA-2019-1bd9cfb718",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUEXFCN7FAYBKJBQJLYCEUQUCHDEJRZW/"
            },
            {
              "name": "RHSA-2019:3391",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3391"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2019-10155",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "libreswan",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.29"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "the libreswan Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "3.1/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-354"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://libreswan.org/security/CVE-2019-10155/",
                  "refsource": "MISC",
                  "url": "https://libreswan.org/security/CVE-2019-10155/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155"
                },
                {
                  "name": "FEDORA-2019-f7fb531958",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LFGPGLLKAXSLWFI62A6BZHTZSCHRCBXS/"
                },
                {
                  "name": "FEDORA-2019-1bd9cfb718",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EUEXFCN7FAYBKJBQJLYCEUQUCHDEJRZW/"
                },
                {
                  "name": "RHSA-2019:3391",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3391"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10155",
        "datePublished": "2019-06-12T13:51:01.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:09.974Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }