Source: libreswan
Version: 5.2-2.4
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for libreswan.

CVE-2026-12413[0]:
| An invalidly formatted IKEv2 fragment causes the Libreswan pluto
| daemon to crash and restart. Continued exploitation would cause a
| denial of service. The function reassemble_v2_incoming_fragments()
| would ignore unknown outer payloads but still store these in a fixed
| size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the
| assertion PASSERT(logger, md->digest_roof < elemsof(md->digest))
| causes the daemon to abort. No remote code execution is possible.
| Any configuration that allows IKEv2 connections that do not set
| fragmentation=no are vulnerable. IKEv1 is not affected.


CVE-2026-50721[1]:
| Libreswan, via the function
| RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify
| the length of the authentication hash when the SIG payload of an
| IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC
| 2313. A remote attacker can use a variation on the Bleichenbacher
| attack to forge the SIG payload when small public exponents are
| being used (e.g., e=3), which could lead to impersonation.
| Additionally, a remote attacker, by encoding a shorter than expected
| hash in the SIG payload, could trigger an assertion leading to
| denial-of-service. The daemon aborts and restarts; continued
| exploitation causes sustained denial of service. Remote code
| execution is not possible. X.509 certificate verifications of remote
| IKE peers are not affected.


CVE-2026-50722[2]:
| Libreswan, via the function
| RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly
| verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH
| payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote
| attacker can use a variation on the Bleichenbacher attack to forge
| the AUTH payload when small public exponents are used (e.g., e=3),
| leading to impersonation. Additionally, a remote attacker, by
| encoding a shorter than expected hash in the AUTH payload, could
| trigger an assertion leading to denial-of-service. The daemon aborts
| and restarts; continued exploitation causes sustained denial of
| service. Remote code execution is not possible. X.509 certificate
| verifications of the remote IKE peer are not affected.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-12413
    https://www.cve.org/CVERecord?id=CVE-2026-12413
    https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt
[1] https://security-tracker.debian.org/tracker/CVE-2026-50721
    https://www.cve.org/CVERecord?id=CVE-2026-50721
    https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt
[2] https://security-tracker.debian.org/tracker/CVE-2026-50722
    https://www.cve.org/CVERecord?id=CVE-2026-50722
    https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to