Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated single crafted packet against default IKEv2 (AV:N/AC:L/PR:N/UI:N); impact is availability-only crash with no confidentiality or integrity effect.
Primary rating from Vendor (libreswan).
CVSS VectorVendor: libreswan
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.
AnalysisAI
Denial of service in the Libreswan IPsec VPN's pluto daemon allows remote unauthenticated attackers to crash and repeatedly restart the daemon by sending an invalidly formatted IKEv2 fragment. The off-by-one flaw affects any deployment permitting IKEv2 connections that do not explicitly set fragmentation=no, with no authentication or user interaction required; repeated exploitation sustains the outage. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to accept IKEv2 connections where IKE fragmentation is not disabled - i.e., any connection configuration that does not set fragmentation=no; this is the exact prerequisite named in the advisory and covers typical default IKEv2 setups. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent for a genuine, easily triggered availability threat: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High) reflects remote, low-complexity, unauthenticated exploitation with high availability impact and no confidentiality or integrity loss, matching the description of a crash-and-restart DoS with explicitly no RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the network path to an internet-facing IPsec gateway sends a single invalidly formatted IKEv2 fragment containing unknown outer payloads to UDP 500/4500, triggering the off-by-one assertion and aborting the pluto daemon. Because the daemon restarts, the attacker simply resends the packet in a loop to keep the VPN service continuously unavailable. … |
| Remediation | No exact fixed version is provided in the input data, so no vendor-released patch version can be independently confirmed here - consult the Libreswan advisory at https://libreswan.org/security/CVE-2026-12413/ (full text https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt) for the patched release and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Libreswan installations and verify fragmentation settings in IKEv2 configurations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Signature forgery and denial-of-service in Libreswan's IKEv1 RSA authentication allows a remote unauthenticated attacker
Peer impersonation and denial-of-service in Libreswan IPsec/IKEv2 arises from improper DER/ASN.1 digest verification in
Same weakness CWE-193 – Off-by-one Error
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41439
GHSA-vj68-68x2-jwjq