CVE-2026-12413 in libreswaninfo

Summary

by MITRE • 07/03/2026

An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/04/2026

The vulnerability resides within the Libreswan implementation of the IKEv2 protocol, specifically affecting the pluto daemon responsible for managing IPsec security associations. This issue manifests when processing malformed IKEv2 fragments through the reassemble_v2_incoming_fragments() function, which demonstrates a critical flaw in payload handling and memory management. The daemon's failure to properly validate incoming IKEv2 messages creates a condition where unknown outer payloads are processed but stored in a fixed-size array structure msg_digest.digest[PAYLIMIT] without adequate bounds checking.

The technical exploitation occurs due to an off-by-one error within the assertion mechanism PASSERT(logger, md->digest_roof digest)), which governs memory allocation and validation for the message digest processing. This assertion failure causes the daemon to abruptly abort and restart, creating a denial of service condition that can be repeatedly triggered by an attacker. The vulnerability specifically targets the IKEv2 protocol implementation where fragmentation is enabled, as configurations that explicitly disable fragmentation using fragmentation=no are immune to this particular exploit. The function's behavior of ignoring unknown outer payloads while simultaneously storing them in a predetermined array structure creates a memory management inconsistency that directly leads to the assertion failure.

The operational impact extends beyond simple service disruption, as this vulnerability represents a classic example of a resource exhaustion attack vector that can be leveraged for sustained denial of service operations. The crash and restart cycle effectively renders the IPsec security gateway unavailable to legitimate users while maintaining the underlying network connectivity for attackers to continue exploitation attempts. This vulnerability is classified under CWE-129 Input Validation and CWE-787 Out-of-bounds Write, demonstrating how improper bounds checking can lead to program termination and system instability.

From an adversarial perspective, this vulnerability maps directly to ATT&CK technique T1499.004 for Network Denial of Service, as it enables attackers to systematically disrupt network security services through controlled exploitation of protocol implementation flaws. The lack of remote code execution capability limits the attack surface but does not diminish the severity of the denial of service impact, particularly in environments where IPsec gateways serve critical network infrastructure functions. Organizations with active IKEv2 connections and default configurations are at risk, as the vulnerability requires no authentication or special privileges to exploit. The fix typically involves implementing proper bounds checking mechanisms within the message digest processing code and ensuring that all incoming payloads are validated against expected protocol structures before storage operations occur.

The vulnerability demonstrates a fundamental weakness in the Libreswan implementation's defensive programming practices, where error handling for malformed input does not account for boundary conditions in memory allocation. This represents a common pattern in network security implementations where protocol parsing functions fail to consider edge cases that can lead to program termination rather than graceful error recovery. The fact that IKEv1 remains unaffected indicates that the vulnerability is specific to the IKEv2 fragmentation handling code path, further narrowing the scope of exploitation while maintaining significant impact potential for affected systems.

Security practitioners should prioritize patching this vulnerability as it represents a straightforward denial of service vector that can be automated and sustained over time. The recommended mitigations include updating to patched versions of Libreswan, implementing network-level monitoring for unusual IKEv2 traffic patterns, and considering configuration changes that disable fragmentation where not strictly required. Additionally, organizations should review their IPsec implementations to ensure that all security gateways are updated and that appropriate intrusion detection systems are monitoring for exploitation attempts targeting this specific vulnerability pattern.

Responsible

Libreswan

Reservation

06/16/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00597

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!