Skip to main content

Strongswan CVE-2026-25075

| EUVDEUVD-2026-14477 HIGH
Integer Underflow (CWE-191)
2026-03-23 VulnCheck GHSA-frr2-5qjr-h4hw
8.7
CVSS 4.0 · Vendor: VulnCheck
Temporal: 7.5
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CIRCL (temporal)
7.5 HIGH
cvss
Ubuntu
MEDIUM
qualitative
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 27, 2026 - 20:16 vuln.today
Public exploit code
EUVD ID Assigned
Mar 23, 2026 - 19:00 euvd
EUVD-2026-14477
Analysis Generated
Mar 23, 2026 - 19:00 vuln.today
CVE Published
Mar 23, 2026 - 18:33 nvd
HIGH 8.7

DescriptionCVE.org

strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.

AnalysisAI

Unauthenticated remote attackers can crash strongSwan versions 4.5.0 through 6.0.4 via integer underflow in the EAP-TTLS AVP parser during IKEv2 authentication by sending malformed AVP packets with invalid length fields. Public exploit code exists for this denial of service vulnerability, which triggers memory corruption in the charon daemon with no available patch. Organizations running affected strongSwan versions are vulnerable to service disruption without authentication or user interaction required.

Technical ContextAI

strongSwan is a widely-deployed open-source IPsec-based VPN solution that supports IKEv2 (Internet Key Exchange version 2) authentication. The affected component is the EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) Attribute-Value Pair (AVP) parser, which processes authentication data during IKEv2 session establishment. The vulnerability stems from CWE-191 (Integer Underflow/Wraparound), where the parser fails to validate AVP length fields before performing subtraction operations. This allows specially crafted AVP data with malicious length values to trigger integer underflow, leading to excessive memory allocation attempts or NULL pointer dereferences that crash the charon daemon process. The affected product per CPE string is cpe:2.3:a:strongswan:strongswan across a wide range of versions spanning multiple major releases.

RemediationAI

Upgrade to strongSwan version 6.0.5 or later, which addresses the integer underflow vulnerability in the EAP-TTLS AVP parser. The patch release is documented at https://www.strongswan.org/blog/2026/03/23/strongswan-6.0.5-released.html. Organizations unable to immediately upgrade should consider implementing network-level protections such as restricting VPN gateway access to trusted IP ranges via firewall rules, deploying intrusion prevention system (IPS) signatures to detect malformed AVP packets if available, or temporarily disabling EAP-TTLS authentication in favor of alternative IKEv2 authentication methods if operationally feasible. Given the availability of public exploit code and the unauthenticated remote nature of the attack, patching should be prioritized for all internet-facing strongSwan VPN deployments.

CVE-2015-3991 CRITICAL
9.8 Sep 07

strongSwan 5.2.2 and 5.3.0 allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code

CVE-2023-41913 CRITICAL
9.8 Dec 07

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value

CVE-2023-26463 CRITICAL
9.8 Apr 15

strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two di

CVE-2013-5018 MEDIUM POC
4.3 Aug 28

The is_asn1 function in strongSwan 4.1.11 through 5.0.4 does not properly validate the return value of the asn1_length f

CVE-2017-9022 HIGH
7.5 Jun 08

The gmp plugin in strongSwan before 5.5.3 does not properly validate RSA public keys before calling mpz_powm_sec, which

CVE-2017-9023 HIGH
7.5 Jun 08

The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when the x509 plugin is enabled, which allow

CVE-2017-11185 HIGH
7.5 Aug 18

The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference

CVE-2012-2388 HIGH
7.5 Jun 27

The GMP Plugin in strongSwan 4.2.0 through 4.6.3 allows remote attackers to bypass authentication via a (1) empty or (2)

CVE-2022-40617 HIGH
7.5 Oct 31

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a craft

CVE-2021-41991 HIGH
7.5 Oct 18

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests wi

CVE-2021-41990 HIGH
7.5 Oct 18

The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS sig

CVE-2018-17540 HIGH
7.5 Oct 03

The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate. Rated high severity (CVSS 7.5

Vendor StatusVendor

Ubuntu

Priority: Medium
strongswan
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
upstream released 6.0.5
jammy released 5.9.5-2ubuntu2.5
noble released 5.9.13-2ubuntu4.24.04.2
questing released 6.0.1-6ubuntu4.2

Debian

strongswan
Release Status Fixed Version Urgency
bullseye vulnerable 5.9.1-1+deb11u4 -
bullseye (security) vulnerable 5.9.1-1+deb11u5 -
bookworm fixed 5.9.8-5+deb12u3 -
bookworm (security) fixed 5.9.8-5+deb12u3 -
trixie fixed 6.0.1-6+deb13u4 -
trixie (security) fixed 6.0.1-6+deb13u4 -
forky, sid vulnerable 6.0.4-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

CVE-2026-25075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy