Impersonation and Denial-of-Service Vulnerability in Libreswan IKEv1 Implementation
CVE-2026-50721

8.1HIGH

Key Information:

Status
Vendor
CVE Published:
2 July 2026

Badges

👾 Exploit Exists

What is CVE-2026-50721?

Libreswan's implementation contains a vulnerability in the RSA_authenticate_hash_signature_raw_rsa() function, which fails to properly verify the length of the authentication hash in the SIG payload of IKEv1 packets. Exploiting this flaw, a remote attacker can leverage a variant of the Bleichenbacher attack, particularly when small public exponents like e=3 are utilized. This could enable the attacker to forge the SIG payload, leading to potential impersonation. Furthermore, by inserting a hash shorter than expected into the SIG payload, an attacker can trigger an assertion failure, resulting in a denial-of-service condition. This situation leads the Libreswan daemon to abort and restart, and persistent exploitation can lead to ongoing denial-of-service. It’s important to note that remote code execution is not possible, and the X.509 certificate verifications of remote IKE peers remain unaffected.

Affected Version(s)

libreswan 0 <= 5.3

libreswan 5.3.1

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yeonghyeon Choi
Duyeong Kim
Andrew Cagney (The Libreswan Team)
.