CVE-2026-50721: CWE-347: Improper Verification of Cryptographic Signature in The Libreswan Project libreswan
Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.
AI Analysis
Technical Summary
The Libreswan project has a cryptographic signature verification vulnerability (CVE-2026-50721) in versions up to 5.3. The function RSA_authenticate_hash_signature_raw_rsa() does not correctly verify the length of the authentication hash when processing IKEv1 SIG payloads encoded using PKCS #1 RSA Encryption (RFC 2313). This improper verification enables a remote attacker to perform a variant of the Bleichenbacher attack when small public exponents like e=3 are used, allowing forgery of the SIG payload and potential impersonation. Furthermore, an attacker can send a shorter hash than expected to trigger an assertion failure, causing the daemon to abort and restart, leading to sustained denial of service. The vulnerability does not affect X.509 certificate verification and does not allow remote code execution.
Potential Impact
An attacker can remotely forge SIG payloads in IKEv1 packets under certain conditions, potentially impersonating legitimate peers. Additionally, the vulnerability can be exploited to cause a denial of service by repeatedly crashing and restarting the Libreswan daemon. There is no impact on confidentiality or integrity of data beyond impersonation, and remote code execution is not possible. X.509 certificate verification is unaffected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider avoiding use of small public exponents (e.g., e=3) in RSA keys used with Libreswan. Monitor for updates from the Libreswan project regarding an official fix or workaround.
CVE-2026-50721: CWE-347: Improper Verification of Cryptographic Signature in The Libreswan Project libreswan
Description
Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Libreswan project has a cryptographic signature verification vulnerability (CVE-2026-50721) in versions up to 5.3. The function RSA_authenticate_hash_signature_raw_rsa() does not correctly verify the length of the authentication hash when processing IKEv1 SIG payloads encoded using PKCS #1 RSA Encryption (RFC 2313). This improper verification enables a remote attacker to perform a variant of the Bleichenbacher attack when small public exponents like e=3 are used, allowing forgery of the SIG payload and potential impersonation. Furthermore, an attacker can send a shorter hash than expected to trigger an assertion failure, causing the daemon to abort and restart, leading to sustained denial of service. The vulnerability does not affect X.509 certificate verification and does not allow remote code execution.
Potential Impact
An attacker can remotely forge SIG payloads in IKEv1 packets under certain conditions, potentially impersonating legitimate peers. Additionally, the vulnerability can be exploited to cause a denial of service by repeatedly crashing and restarting the Libreswan daemon. There is no impact on confidentiality or integrity of data beyond impersonation, and remote code execution is not possible. X.509 certificate verification is unaffected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider avoiding use of small public exponents (e.g., e=3) in RSA keys used with Libreswan. Monitor for updates from the Libreswan project regarding an official fix or workaround.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- libreswan
- Date Reserved
- 2026-06-05T16:10:05.751Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a46e0f527e9c797192f76a9
Added to database: 07/02/2026, 22:06:45 UTC
Last enriched: 07/02/2026, 22:21:23 UTC
Last updated: 07/02/2026, 22:51:38 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.