Reporting a vulnerability

Please contact security@libreswan.org if you suspect you have found a security issue or vulnerability in libreswan. Encrypted email can be received encrypted to the libreswan OpenPGP key.
We strongly encourage you to report potential security vulnerabilities to us before disclosing them in a public forum or in a public security paperi or conference. The Libreswan Team typically responds within a few days but usually needs a few weeks to publish a new release with the security fix. The Libreswan Team does not accept any third party clauses before receiving information. A vulnerability reporter cannot mandate a timeline of public disclosure, however The Libreswan Team might accept reasonable requests for short delays.

List of libreswan CVEs

CVE Number Date Vulnerability Information Vulnerable Files
CVE-2022-23094 Jan 11, 2022 Malicious IKEv1 packet can cause libreswan to restart 4.2 - 4.5 Patches
CVE-2020-1763 May 11, 2020 IKEv1 Informational Exchange messages causes restart 3.27 - 3.31 Patches
CVE-2019-10155 Jun 10, 2019 IKEv1 Informational exchange integrity check failure 3.0 - 3.28 Patches
CVE-2019-12312 Jun 4, 2019 IKEv2 bogus Informational Exchange request can cause NULL pointer dereference 3.27 Patches
CVE-2016-5391 Jul 25, 2016 IKEv2 bogus proposal lacking DH transform causes restart 3.17 Patches
CVE-2016-5361 Jun 14, 2016 MITRE mistakenly issues CVE-2016-5361 none -
CVE-2016-3071 Apr 4, 2016 IKEv2 aes_xcbc transform causes restart of IKE daemon 3.16 Patches
CVE-2015-3240 Aug 24, 2015 bad DH g^x by remote peer causes IKE daemon restart 3.0 - 3.15 Patches
CVE-2015-3204 Jun 1, 2015 malicious payload causes IKE daemon restart 3.9 - 3.12 Patches
CVE-2013-6467 Jan 15, 2014 dereferencing missing IKEv2 payloads causes restart 3.0 - 3.7 Patches
CVE-2013-4564 Dec 10, 2013 Denial of Service with bogus IKE packet 3.6 -
CVE-2013-6467 May 13, 2013 remote buffer overflow in atodn() 3.0 - 3.1 Patches

non-libreswan CVEs

The Libreswan Project also assisted with some openswan CVE's and strongswan CVE's.