Debian Strongswan vulnerabilities

CVE-2026-25075 [HIGH] CVE-2026-25075: strongswan - strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerabil... strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger ex

CVE-2025-62291 [HIGH] CVE-2025-62291: strongswan - In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious... In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. Scope: local bookworm: resolved (fixed in 5.9.8-5+deb12u2) bullseye: resolved (fixed in 5.9.1-1+deb11u5) forky: resolved (fixed

CVE-2023-41913 [CRITICAL] CVE-2023-41913: strongswan - strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remo... strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message. Scope: local bookworm: resolved (fixed in 5.9.8-5+deb12u1) bullseye: resolved (fixed in

CVE-2023-26463 [CRITICAL] CVE-2023-26463: strongswan - strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it u... strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only

CVE-2022-40617 [HIGH] CVE-2022-40617: strongswan - strongSwan before 5.9.8 allows remote attackers to cause a denial of service in ... strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an ex

CVE-2022-4967 [HIGH] CVE-2022-4967: strongswan - strongSwan versions 5.9.2 through 5.9.5 are affected by authorization bypass thr... strongSwan versions 5.9.2 through 5.9.5 are affected by authorization bypass through improper validation of certificate with host mismatch (CWE-297). When certificates are used to authenticate clients in TLS-based EAP methods, the IKE or EAP identity supplied by a client is not enforced to be contained in the client's certificate. So clients can authenticate with a

CVE-2021-45079 [CRITICAL] CVE-2021-45079: strongswan - In strongSwan before 5.9.5, a malicious responder can send an EAP-Success messag... In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. Scope: local bookworm: resolved (fixed in 5.9.5-1) bullseye: resolved (fixed in 5.9.1-1+deb1

CVE-2021-41991 [HIGH] CVE-2021-41991: strongswan - The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer ... The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code executio

CVE-2021-41990 [HIGH] CVE-2021-41990: strongswan - The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a cr... The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur. Scope: local bookworm: resolved (fixed in 5.9.4-1) bullseye: resolved (fixed in 5.9.1-1+deb11u1) fork

CVE-2019-10155 [LOW] CVE-2019-10155: libreswan - The Libreswan Project has found a vulnerability in the processing of IKEv1 infor... The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29. Scope: local bookworm: resolved (fixed in 3.27-6) bul

CVE-2018-10811 [HIGH] CVE-2018-10811: strongswan - strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing In... strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable. Scope: local bookworm: resolved (fixed in 5.6.3-1) bullseye: resolved (fixed in 5.6.3-1) forky: resolved (fixed in 5.6.3-1) sid: resolved (fixed in 5.6.3-1) trixie: resolved (fixed in 5.6.3-1)

CVE-2018-17540 [HIGH] CVE-2018-17540: strongswan - The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted ce... The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate. Scope: local bookworm: resolved (fixed in 5.7.1-1) bullseye: resolved (fixed in 5.7.1-1) forky: resolved (fixed in 5.7.1-1) sid: resolved (fixed in 5.7.1-1) trixie: resolved (fixed in 5.7.1-1)

CVE-2018-16151 [HIGH] CVE-2018-16151: strongswan - In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in st... In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same version of strongSwan regarding digestAlgorithm.parameters, a remote attacker c

CVE-2018-6459 [MEDIUM] CVE-2018-6459: strongswan - The rsa_pss_params_parse function in libstrongswan/credentials/keys/signature_pa... The rsa_pss_params_parse function in libstrongswan/credentials/keys/signature_params.c in strongSwan 5.6.1 allows remote attackers to cause a denial of service via a crafted RSASSA-PSS signature that lacks a mask generation function parameter. Scope: local bookworm: resolved (fixed in 5.6.2-1) bullseye: resolved (fixed in 5.6.2-1) forky: resolved (fixed in 5.6.2-

CVE-2018-16152 [MEDIUM] CVE-2018-16152: strongswan - In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in st... In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, whic

CVE-2018-5388 [MEDIUM] CVE-2018-5388: strongswan - In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check cou... In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. Scope: local bookworm: resolved (fixed in 5.6.3-1) bullseye: resolved (fixed in 5.6.3-1) forky: resolved (fixed in 5.6.3-1) sid: resolved (fixed in 5.6.3-1) trixie:

CVE-2018-5389 [MEDIUM] CVE-2018-5389: libreswan - The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or br... The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an

CVE-2017-9023 [HIGH] CVE-2017-9023: strongswan - The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when... The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when the x509 plugin is enabled, which allows remote attackers to cause a denial of service (infinite loop) via a crafted certificate. Scope: local bookworm: resolved (fixed in 5.5.1-4) bullseye: resolved (fixed in 5.5.1-4) forky: resolved (fixed in 5.5.1-4) sid: resolved (fixed in 5.5.1-4)

CVE-2017-11185 [HIGH] CVE-2017-11185: strongswan - The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a den... The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted RSA signature. Scope: local bookworm: resolved (fixed in 5.6.0-1) bullseye: resolved (fixed in 5.6.0-1) forky: resolved (fixed in 5.6.0-1) sid: resolved (fixed in 5.6.0-1) trixie: resolved (fixed in 5.6.0-1)

CVE-2017-9022 [HIGH] CVE-2017-9022: strongswan - The gmp plugin in strongSwan before 5.5.3 does not properly validate RSA public ... The gmp plugin in strongSwan before 5.5.3 does not properly validate RSA public keys before calling mpz_powm_sec, which allows remote peers to cause a denial of service (floating point exception and process crash) via a crafted certificate. Scope: local bookworm: resolved (fixed in 5.5.1-4) bullseye: resolved (fixed in 5.5.1-4) forky: resolved (fixed in 5.5.1-4) si