CVE-2026-50721
Received Received - Intake

Libreswan RSA Signature Verification Flaw Enables Impersonation

Vulnerability report for CVE-2026-50721, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Libreswan Project

Description

Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libreswan libreswan *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Libreswan's function RSA_authenticate_hash_signature_raw_rsa(), which incorrectly verifies the length of the authentication hash in the SIG payload of an IKEv1 packet when encoded using PKCS #1 RSA Encryption as defined by RFC 2313.

A remote attacker can exploit this by using a variation of the Bleichenbacher attack, especially when small public exponents like e=3 are used, to forge the SIG payload. This can lead to impersonation.

Additionally, an attacker can send a shorter than expected hash in the SIG payload to trigger an assertion failure, causing the daemon to abort and restart repeatedly, resulting in a denial-of-service condition.

Remote code execution is not possible through this vulnerability, and X.509 certificate verifications of remote IKE peers are not affected.

Impact Analysis

This vulnerability can impact you in two main ways:

  • Impersonation: An attacker can forge the SIG payload to impersonate a legitimate peer in the IKEv1 protocol, potentially bypassing authentication.
  • Denial of Service: By sending a shorter than expected hash, an attacker can cause the Libreswan daemon to repeatedly abort and restart, leading to sustained denial of service.

However, remote code execution is not possible, and certificate verification remains intact.

Compliance Impact

The vulnerability in Libreswan allows a remote attacker to impersonate by forging the SIG payload in IKEv1 packets and can cause denial-of-service through daemon restarts. This could potentially impact the confidentiality, integrity, and availability of communications secured by Libreswan.

Since the vulnerability leads to possible impersonation and denial-of-service, it may affect compliance with standards and regulations such as GDPR and HIPAA, which require protection of data confidentiality and integrity as well as system availability.

However, the CVE description does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart