-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ====================================================================== CVE-2026-50722: IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload ====================================================================== This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2026-50722 (See also CVE-2026-50721 which is the IKEv1 variant of this bug) The Libreswan Project was notified of an issue when it receives an invalidly formatted PKCS#1.5 RSA signature payload that authenticates the IKE exchange. The vulnerability is similar to CVE-2018-16151. Use of RSA signatures over certificates during X.509 certificate verifications of the remote IKE peer are not affected by this vulnerability. When the RSA exponent is weak (eg e=3), Bleichenbacher-style signature forgeries are possible, resulting in an authentication bypass. Note that most cryptographic library versions and libreswan raw RSA key generation have not allowed weak exponents for at least a decade, so valid RSA keys with weak exponents should be very rare. Additionally, the invalid RSA IKE authentication payload can trigger an assertion, resulting in libreswan aborting and restarting. Continued sending of such packets can result in a denial of service. Severity: Medium Vulnerable versions : all version up to and including 5.3 Not vulnerable : 5.3.1 or later Vulnerability details ===================== Libreswan (via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa()), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are being used, which could lead to impersonation. A remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. Exploitation ============ If a server or client will accept RSA based IKEv2 connections via the default authby= settings, an attacker crash cause the denial of service, and when weak exponents are in use, cause an authentication bypass. Remote code execution is not possible. Workaround ========== IKEv2 by default allows ECDSA, RSA-SSA-PSS (PSS), and allows RSA PKCS#1: 1.5 as fallback due to Microsoft Windows not supporting RSASSA-PSS. If Windows support is not needed, one can configure authby=ecdsa or authby=rsa-sha2 (or both via authby=ecdsa,rsa-sha2) to disallow the fallback of RSA PKCS#1: 1.5. The leftauth= and rightauth= settings can be updated similarly if those are in use instead of authby. History ======= * 24-03-2026 Libreswan was notified of the issue via security@libreswan.org. * 16-06-2026 Advanced notice given to supported customers and distributions. * 24-06-2026 Public announcement and release of libreswan 5.3.1. Credits ======= This vulnerability was found and reported by Yeonghyeon Choi and Duyeong Kim and further code path vulnerabilties were found by Andrew Cagney of the Libreswan Team. Upgrading ========= To address this vulnerability, please upgrade to libreswan 5.3.1 or later. Patches ======= For those who cannot upgrade, patches for libreswan 4.15 and 5.3 are available at: https://libreswan.org/security/CVE-2026-50722/ About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmo8D0UTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+YWND/4vO5ogP0zF/jao1ITWVFmssebF34E3 nWTLP1PciYXqGaIJdqLR7nCM3YrCYDYvsSparIp9z32+pm7xGCGaSzTPRMMgphFw +r7ZrYmVDrTxz7F0tR9VaZwEPp5SNVbm+CM5AabYufFE+rqoQ+ABp9uvt1mrNYK4 nSD8FOmbhcVmXmsKmULRbFk38paX42IQSg96kIF291OKyL5BmtYT+8SUSsiqUiVM 6XTmPQ37aZ6WOBCisoR2b8NaDWoUnHmYZXWYqVy6a9pWw32/42dkNW+SHgiDwxzV iJ8oMGqv3sz7VrIpFgFHuA1Kc2WL/UKfSbnywqiM4uCO6vmfu8qZnMx3BlERKj+A FDTGR0Y/ZGCIqCF819Pu6ddnezRY5PZplHgwSl2vH1PGvBDFXqkS5PY3m3PzUeEy AyzxTxmEK5mUz5E5Lq5KhFbwslEF5b8365bZsqzcSv/n4uzHD6RbVTDcdVuIP/MK AN+WP98/e5e5M13Hztk7yz/ffKhbEMwkGBIBZuXRpXfxNY90agIlehgiNQo9q4qv AOjVZl1a727qe5DGbR8l/YpIEwg6On9jxCkYur0CMuhmd9WIl0JXsIlGRpQjz8YE M3EYlhAitBrhFEMWsNRzqe08m1itX4L+x87a5np9XDli77L0DRZhzL9Z2fVx4aVK QIGNYqtw0L4Shw== =6Irj -----END PGP SIGNATURE-----