SB2026062560 - Multiple vulnerabilities in libreswan
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Reachable assertion (CVE-ID: CVE-2026-12413)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an assertion failure caused by improper bounds checking in reassemble_v2_incoming_fragments() when processing invalidly formatted IKEv2 fragments. A remote attacker can send specially crafted fragmented IKEv2 packets to cause a denial of service.
Only IKEv2 configurations with fragmentation enabled are vulnerable. IKEv1 is not affected.
2) Input validation error (CVE-ID: CVE-2026-50721)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in RSA_authenticate_hash_signature_raw_rsa() when processing an invalidly formatted PKCS#1 v1.5 RSA signature in an IKEv1 SIG payload. A remote attacker can send a specially crafted IKEv1 packet with a shorter than expected hash to cause a denial of service.
The issue affects IKEv1 RSA-SHA1 authentication payload handling and can trigger an assertion that causes libreswan to abort and restart.
3) Input validation error (CVE-ID: CVE-2026-50722)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in RSA_authenticate_hash_signature_pkcs1_1_5_rsa() when processing IKEv2 AUTH payloads encoded using RSASSA-PKCS1-v1_5. A remote attacker can send a specially crafted authentication payload to cause a denial of service.
The issue is triggered by a shorter than expected hash in the AUTH payload, which can lead to an assertion failure and process restart.
Remediation
Install update from vendor's website.
References
- https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt
- https://libreswan.org/security/CVE-2026-12413
- https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt
- https://libreswan.org/security/CVE-2026-50721
- https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt
- https://libreswan.org/security/CVE-2026-50722