CVE-2026-12413
Received Received - Intake

Denial of Service in Libreswan Pluto Daemon via IKEv2 Fragment

Vulnerability report for CVE-2026-12413, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Libreswan Project

Description

An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libreswan pluto From fragmentation=no (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Libreswan pluto daemon when it processes invalidly formatted IKEv2 fragments. Specifically, the function reassemble_v2_incoming_fragments() improperly handles unknown outer payloads by storing them in a fixed size array without proper bounds checking. An off-by-one error in an assertion causes the daemon to crash and restart.

The issue leads to a denial of service condition because the daemon aborts when the assertion fails. It affects configurations that allow IKEv2 connections with fragmentation enabled (not set to no). IKEv1 is not affected, and no remote code execution is possible.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS). An attacker can send specially crafted IKEv2 fragments that cause the Libreswan pluto daemon to crash and restart repeatedly.

This disruption can affect the availability of VPN services relying on Libreswan, potentially interrupting secure communications and network connectivity.

No remote code execution or data compromise is possible through this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, ensure that any configuration allowing IKEv2 connections explicitly sets fragmentation=no. This prevents the processing of fragmented IKEv2 packets that could trigger the crash.

Additionally, monitor and update the Libreswan pluto daemon to a version where this off-by-one error is fixed once a patch is available.

Compliance Impact

This vulnerability causes a denial of service by crashing and restarting the Libreswan pluto daemon when processing invalidly formatted IKEv2 fragments. It does not lead to remote code execution or data compromise.

Since the vulnerability does not impact confidentiality or integrity of data, but only availability, its effect on compliance with standards like GDPR or HIPAA would primarily relate to potential service disruption.

Organizations relying on Libreswan for VPN connections should consider the risk of denial of service affecting availability requirements under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart