CVE-2026-50721 PUBLISHED

IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload

Assigner: libreswan
Reserved: 05.06.2026 Published: 02.07.2026 Updated: 02.07.2026

Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Weak RSA exponent (e=3) in use, enabling Bleichenbacher signature forgery

Product Status

Vendor The Libreswan Project
Product libreswan
Versions Default: unaffected
  • affected from 0 to 5.3 (incl.)
  • Version 5.3.1 is unaffected

Affected Configurations

Any server or client that accepts RSA-based IKEv1 connections via the default authby=rsasig option is vulnerable to denial of service. Authentication bypass additionally requires the use of RSA keys with weak exponents (e=3). IKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) for public key authentication, so the vulnerable code path cannot be disabled without migrating to IKEv2 or switching to PSK.

Exploits

No known exploitation in the wild. The authentication bypass requires the target to use RSA keys with weak exponents (e=3), which have been disallowed by most cryptographic libraries for at least a decade. The denial-of-service attack is exploitable against any IKEv1 configuration using the default authby=rsasig option.

Workarounds

IKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) with public key authentication, so there is no way to disable the vulnerable code path within IKEv1. Migrate IKEv1 connections to IKEv2 where authby=ecdsa or authby=rsa-sha2 can be configured. For static tunnel configurations (not Remote Access VPN Client groups), authentication can be changed to use PSK via authby=secret after coordination with the remote peer.

Solutions

Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org/security/CVE-2026-50721/

Credits

  • Yeonghyeon Choi finder
  • Duyeong Kim finder
  • Andrew Cagney (The Libreswan Team) analyst

References

Problem Types

  • CWE-347: Improper Verification of Cryptographic Signature CWE
  • CWE-617: Reachable Assertion CWE

Impacts

  • Denial of Service via assertion failure in pluto daemon when processing malformed RSA PKCS#1 v1.5 SIG payloads in IKEv1
  • Authentication bypass via Bleichenbacher-style signature forgery when weak RSA exponents (e.g., e=3) are in use