CVE-2023-41913
published 2023-12-07CVE-2023-41913: strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.29%
81.1th percentile
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | strongswan | < strongswan 5.9.8-5+deb12u1 (bookworm) | strongswan 5.9.8-5+deb12u1 (bookworm) |
| msrc | azl3_strongswan_5.9.11-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_strongswan_5.9.12-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_strongswan_5.9.10-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| strongswan | strongswan | >= 0 < 5.9.1-1+deb11u4 | 5.9.1-1+deb11u4 |
| strongswan | strongswan | >= 0 < 5.9.8-5+deb12u1 | 5.9.8-5+deb12u1 |
| strongswan | strongswan | >= 0 < 5.9.12-1 | 5.9.12-1 |
| strongswan | strongswan | >= 0 < 5.9.12-1 | 5.9.12-1 |
| strongswan | strongswan | >= 5.3.0 < 5.9.12 | 5.9.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack vector is a crafted IKE_SA_INIT message containing a DH public value that exceeds the internal buffer in charon-tkm's DH proxy; monitor/filter IKEv2 IKE_SA_INIT exchanges for anomalously large DH public values ↗
- →The vulnerable component is charon-tkm's DH proxy; focus detection on the charon-tkm process handling DH public values that exceed its internal buffer ↗
- ·Only deployments using charon-tkm (the TKM-based IKE daemon) are affected; standard charon deployments without TKM are not vulnerable ↗
- ·The vulnerability is exploitable pre-authentication, meaning no valid IKE credentials are required for an attacker to trigger the buffer overflow ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g7mg-4vgp-5j3h: strongSwan before 5
ghsa_unreviewed·2023-12-07
CVE-2023-41913 [CRITICAL] CWE-120 GHSA-g7mg-4vgp-5j3h: strongSwan before 5
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
OSV
CVE-2023-41913: strongSwan before 5
osv·2023-12-07·CVSS 9.8
CVE-2023-41913 [CRITICAL] CVE-2023-41913: strongSwan before 5
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
Ubuntu
strongSwan vulnerability
vendor_ubuntu·2023-12-14
CVE-2023-41913 strongSwan vulnerability
Title: strongSwan vulnerability
Summary: strongSwan could be made to crash or run programs if it received
specially crafted network traffic.
USN-6488-1 fixed a vulnerability in strongSwan. This update provides
the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
Florian Picca discovered that strongSwan incorrectly handled certain DH
public values. A remote attacker could use this issue to cause strongSwan
to crash, resulting in a denial of service, or possibly execute arbitrary
code.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected
vendor_msrc·2023-12-12·CVSS 9.8
CVE-2023-41913 [CRITICAL] CWE-120 strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more inform
Ubuntu
strongSwan vulnerability
vendor_ubuntu·2023-11-20
CVE-2023-41913 strongSwan vulnerability
Title: strongSwan vulnerability
Summary: strongSwan could be made to crash or run programs if it received
specially crafted network traffic.
Florian Picca discovered that strongSwan incorrectly handled certain DH
public values. A remote attacker could use this issue to cause strongSwan
to crash, resulting in a denial of service, or possibly execute arbitrary
code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-41913: strongswan - strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remo...
vendor_debian·2023·CVSS 9.8
CVE-2023-41913 [CRITICAL] CVE-2023-41913: strongswan - strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remo...
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
Scope: local
bookworm: resolved (fixed in 5.9.8-5+deb12u1)
bullseye: resolved (fixed in 5.9.1-1+deb11u4)
forky: resolved (fixed in 5.9.12-1)
sid: resolved (fixed in 5.9.12-1)
trixie: resolved (fixed in 5.9.12-1)
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-62291 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-62291 [HIGH] CVE-2025-62291 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62291 :
strongSwan vulnerability analysis and mitigation
In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow.
Source : NVD
## 8.1
Score
Published January 16, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
strongSwan
Linux Fedora
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
strongswan-debugsource
strongswan-libipsec
Sources
NVD
Alpine 3.20, 3.21, 3.22 Severity HIGH Has Fix Added at: Nov 09, 2025
Alpine
Wiz
CVE-2025-9615 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-9615 [HIGH] CVE-2025-9615 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9615 :
strongSwan vulnerability analysis and mitigation
A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.
Source : NVD
## 3.3
Score
Published January 26, 2026
Severity LOW
CNA Score 3.3
Affected Technologies
strongSwan
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
NetworkManager-config-connectivity-fedora
NetworkManager
Sourc
Wiz
CVE-2026-25075 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25075 [HIGH] CVE-2026-25075 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25075 :
strongSwan vulnerability analysis and mitigation
strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.
Source : NVD
## 8.7
Score
Published March 23, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
strongSwan
Linux openSUSE
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EP
Bugzilla
CVE-2023-41913 strongswan: buffer overflow
bugzilla·2023-12-14·CVSS 9.8
CVE-2023-41913 [CRITICAL] CVE-2023-41913 strongswan: buffer overflow
CVE-2023-41913 strongswan: buffer overflow
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
https://github.com/strongswan/strongswan/releases
https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-%28cve-2023-41913%29.html
Discussion:
Created strongswan tracking bugs for this issue:
Affects: epel-all [bug 2254562]
Affects: fedora-all [bug 2254561]
---
someone please close this bug - I am not able to but it keeps showing up in my list of bugs. All branches are newer than this bug.
https://github.com/strongswan/strongswan/releaseshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPJZPYHBCRXUQGGKQE6TYH4J4RIJH6HO/https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-%28cve-2023-41913%29.htmlhttps://github.com/strongswan/strongswan/releaseshttps://lists.debian.org/debian-lts-announce/2023/11/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPJZPYHBCRXUQGGKQE6TYH4J4RIJH6HO/https://lists.fedoraproject.org/archives/list/[email protected]/message/YPJZPYHBCRXUQGGKQE6TYH4J4RIJH6HO/https://security.netapp.com/advisory/ntap-20250117-0003/https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-%28cve-2023-41913%29.html
2023-12-07
Published