CVE-2026-50721
HighCVSS 8.1Summary
In Libreswan, the function RSA_authenticate_hash_signature_raw_rsa() did not properly verify the length of the authentication hash when processing IKEv1 packets with PKCS #1 RSA Encryption (RFC 2313). A remote attacker can use a variation of the Bleichenbacher attack to forge the SIG payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, sending a shorter-than-expected hash in the SIG payload can trigger an assertion and daemon restart, causing denial of service.
Risk Assessment
The organization is at risk of impersonation of trusted peers in IKEv1 connections and DoS attacks that can disrupt VPN services. Sustained exploitation results in persistent denial of service.
Recommendation
Immediately update Libreswan to a patched version. Until the update is applied, restrict access to IKEv1 services and monitor logs for unusual events.
Original NVD description (English source)
Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.

