Executive Summary

CVE-2026-25075 is an integer underflow vulnerability in the eap-ttls plugin of strongSwan versions 4.5.0 up to but not including 6.0.5. It occurs in the EAP-TTLS Attribute-Value Pair (AVP) parser during IKEv2 authentication because the plugin fails to properly validate the length field in the AVP header before subtracting 8 bytes for the header size.

When the length field is less than 8, subtracting 8 causes an integer underflow, resulting in a very large unsigned integer for the payload length. This leads to excessive memory allocation requests or a NULL pointer dereference if the allocation fails, which crashes the charon IKE daemon.

This vulnerability can be triggered remotely by unauthenticated attackers sending specially crafted AVP data with invalid length fields, causing a denial of service (DoS) condition.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated remote attackers to cause a denial of service by crashing the charon IKE daemon in strongSwan VPN software.

The impact is a loss of availability of the VPN service, as the daemon crashes due to either excessive memory allocation or a NULL pointer dereference triggered by the crafted AVP data.

There is no remote code execution or data breach possible through this vulnerability; the primary risk is service disruption.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves crafted EAP-TTLS AVP data with invalid length fields sent during IKEv2 authentication to the strongSwan VPN service. Detection involves monitoring for unusual or malformed EAP-TTLS AVP packets that could trigger the integer underflow.'}, {'type': 'paragraph', 'content': "Since the vulnerability causes the charon IKE daemon to crash or consume excessive memory, monitoring the daemon's stability and logs for crashes or memory allocation errors can help detect exploitation attempts."}, {'type': 'paragraph', 'content': 'Specific commands to detect this vulnerability are not provided in the available resources. However, general approaches include:'}, {'type': 'list_item', 'content': 'Using packet capture tools (e.g., tcpdump or Wireshark) to filter and analyze IKEv2 traffic for malformed EAP-TTLS AVP packets.'}, {'type': 'list_item', 'content': 'Checking system logs and the charon daemon logs for crashes or error messages related to memory allocation failures or segmentation faults.'}, {'type': 'list_item', 'content': 'Using monitoring tools to detect unusual resource usage spikes by the charon process.'}, {'type': 'paragraph', 'content': 'No explicit detection commands or signatures are mentioned in the resources.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade strongSwan to version 6.0.5 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, applying the provided patch for older versions that addresses the integer underflow in the EAP-TTLS AVP parser is advised.

Additionally, if your system does not use EAP-TTLS authentication or terminates EAP-TTLS on a RADIUS server instead of strongSwan, the vulnerability does not apply.

Monitoring and restricting unauthenticated access to the IKEv2 service can help reduce exposure to crafted attack packets.

Useful 0 Not Useful 0