Denial of Service Vulnerability in Libreswan's Pluto Daemon
CVE-2026-12413

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-12413?

The Libreswan Pluto daemon is vulnerable to a denial of service attack triggered by improperly formatted IKEv2 fragments. When such a fragment is processed, the daemon can crash and restart due to an off-by-one error in the handling of message digests. This vulnerability arises in the reassemble_v2_incoming_fragments() function, where unknown outer payloads are incorrectly stored in a fixed-size array. It is important to note that this issue affects configurations allowing IKEv2 connections with fragmentation enabled, while IKEv1 remains unaffected. Users of Libreswan should apply the patches provided to ensure their systems are secure.

Affected Version(s)

libreswan 4.6 <= 5.3

libreswan 5.3.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hu Xinyao
.