Back to overview

CVE-2026-50722

HIGH
7.5
CVSS 3.1
Description
Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.

Metadata

CVE ID
CVE-2026-50722
State
PUBLISHED
Assigner
libreswan
Reserved
2026-06-05 16:10 UTC
Published
2026-07-02 21:34 UTC
Last updated
2026-07-02 21:34 UTC
Primary CWE
CWE-347
CWE-347: Improper Verification of Cryptographic Signature
Vendor / Product
The Libreswan Project / libreswan
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
VendorProductPlatformVersions
The Libreswan Project libreswan 0 ≤ 5.3, 5.3.1
Weakness (CWE)
CWESourceDescription
CWE-347 cna CWE-347: Improper Verification of Cryptographic Signature
CWE-617 cna CWE-617: Reachable Assertion
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References (4)
Back to overview