CVE-2026-50722
Received Received - Intake

Libreswan RSA Authentication Bypass via Bleichenbacher Attack

Vulnerability report for CVE-2026-50722, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Libreswan Project

Description

Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libreswan libreswan *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Libreswan's function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), which incorrectly verifies the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload uses RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can exploit this by using a variation of the Bleichenbacher attack, especially when small public exponents like e=3 are used, to forge the AUTH payload and impersonate a legitimate user.

Additionally, an attacker can send an AUTH payload with a shorter than expected hash, triggering an assertion failure that causes the daemon to abort and restart repeatedly, leading to a denial-of-service condition. However, remote code execution is not possible, and X.509 certificate verifications of the remote IKE peer remain unaffected.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to impersonate a legitimate IKEv2 peer through forged AUTH payloads, potentially compromising the integrity and authenticity of VPN connections.

Furthermore, the vulnerability can be exploited to cause a denial-of-service by repeatedly crashing and restarting the daemon, which can disrupt network services relying on Libreswan for secure communications.

Remote code execution is not possible, so the attacker cannot gain direct control over the system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart