Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (libreswan) · only source for this CVE.
CVSS VectorVendor: libreswan
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.
AnalysisAI
Signature forgery and denial-of-service in Libreswan's IKEv1 RSA authentication allows a remote unauthenticated attacker to impersonate an IKE peer or crash the daemon. The flaw lives in RSA_authenticate_hash_signature_raw_rsa(), which fails to validate the length of the authentication hash inside a PKCS #1 (RFC 2313) encoded SIG payload; when a peer uses a small RSA public exponent such as e=3, a Bleichenbacher-style forgery becomes feasible. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Inventory all systems running Libreswan and document current version and IKEv1 configuration status, particularly any deployments using raw-RSA authentication. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jwt Attack
View allAuthentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C
JWT authentication bypass in pac4j-jwt before 4.5.9/5.7.9/6.3.3 when processing encrypted JWTs. PoC available.
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
Authentication bypass in Authlib (Python OAuth/OpenID Connect library) versions 1.6.5 through 1.6.6 allows remote attack
Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attacker
Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privile
Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers t
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient Si
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41441
GHSA-93pj-2pmf-2x7p