CVE-2026-50722 in libreswan (Bleichenbacher)info

Summary

by MITRE • 07/03/2026

Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/03/2026

This vulnerability resides within the Libreswan implementation of IKEv2 authentication mechanisms, specifically affecting the RSA signature verification process when using RSASSA-PKCS1-v1_5 padding scheme as defined in RFC 8017. The flaw manifests in the RSA_authenticate_hash_signature_pkcs1_1_5_rsa() function which fails to properly validate DER encoding of ASN.1 digest structures during IKEv2 AUTH payload processing. This cryptographic implementation error creates a path for authenticated attackers to exploit weaknesses in the signature verification routine, particularly when dealing with small public exponents such as e=3.

The security implications stem from the implementation's failure to properly handle ASN.1 DER encoding validation, creating opportunities for attackers to craft malicious AUTH payloads that bypass legitimate signature verification. This vulnerability is particularly dangerous because it allows for authentication impersonation through a variant of the Bleichenbacher attack pattern, which historically has been used to exploit RSA signature schemes with PKCS#1 v1.5 padding. The attack vector requires a remote adversary who can manipulate the IKEv2 AUTH payload structure to generate forged signatures that will be accepted by the vulnerable Libreswan daemon.

The operational impact of this vulnerability extends beyond simple authentication bypass to include sustained denial-of-service conditions within the IPsec tunnel establishment process. When attackers encode shorter than expected hash values in the AUTH payload, the system triggers internal assertions causing the daemon to abort and restart automatically. This restart behavior creates a continuous cycle of service disruption that can be maintained indefinitely by an attacker, effectively preventing legitimate IKEv2 authentication attempts from succeeding. The vulnerability affects only the specific signature verification process and does not compromise X.509 certificate validation mechanisms or enable remote code execution.

Mitigation strategies should focus on implementing proper ASN.1 DER encoding validation within the RSA signature verification routine, ensuring that all digest structures conform to expected formats before processing. Organizations should consider upgrading to patched versions of Libreswan where the signature verification logic properly validates DER encoding and handles edge cases in hash length specifications. The security community should also consider implementing additional monitoring for unusual daemon restart patterns and authentication failure rates that could indicate exploitation attempts. This vulnerability aligns with CWE-209 (Information Exposure Through an Error Message) and CWE-311 (Missing Encryption of Sensitive Data) categories, while the attack methodology maps to ATT&CK technique T1552.001 (Unsecured Credentials) through credential impersonation capabilities.

The root cause demonstrates a classic cryptographic implementation flaw where proper input validation and encoding verification are missing from critical security functions. This type of vulnerability commonly occurs in legacy implementations where developers may not fully account for all edge cases in ASN.1 parsing and signature verification routines, particularly when dealing with standardized but complex padding schemes like PKCS#1 v1.5. Organizations should implement comprehensive testing procedures that include ASN.1 encoding validation and signature verification routine testing to prevent similar vulnerabilities from being introduced into cryptographic implementations. The vulnerability also highlights the importance of proper error handling in security-critical code paths, where assertion failures can lead to service disruption rather than graceful error recovery mechanisms.

Security practitioners should note that while this vulnerability does not enable direct remote code execution, it creates a significant availability threat through persistent denial-of-service conditions. The combination of authentication impersonation capability and sustained service disruption makes this particularly dangerous in environments where IPsec tunnel availability is critical for network security operations. Network administrators should implement monitoring solutions that can detect unusual daemon behavior patterns and consider implementing rate limiting on IKEv2 authentication attempts to reduce the effectiveness of automated exploitation attempts. The vulnerability also underscores the importance of keeping cryptographic implementations up-to-date with current security standards and best practices, particularly when dealing with well-established but complex padding schemes like PKCS#1 v1.5 that have known attack vectors in specific implementation contexts.

Responsible

Libreswan

Reservation

06/05/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!