IKEv2 Denial of Service via malformed fragmentation
Summary
| CVE | CVE-2026-12413 |
|---|---|
| State | PUBLISHED |
| Assigner | libreswan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-02 22:16:42 UTC |
| Updated | 2026-07-08 18:52:42 UTC |
| Description | An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from d42dc95b-23f1-4e06-9076-20753a0fb0df
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.005970000 probability, percentile 0.444240000 (date 2026-07-10)
Problem Types: CWE-193 | CWE-617 | CWE-193 Off-by-one Error | CWE-617 Reachable Assertion
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | d42dc95b-23f1-4e06-9076-20753a0fb0df | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | The Libreswan Project | Libreswan | affected 4.6 5.3 semver | Not specified |
| CNA | The Libreswan Project | Libreswan | unaffected 5.3.1 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt | d42dc95b-23f1-4e06-9076-20753a0fb0df | libreswan.org | Vendor Advisory, Mitigation |
| libreswan.org/security/CVE-2026-12413 | d42dc95b-23f1-4e06-9076-20753a0fb0df | libreswan.org | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Hu Xinyao (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-06-16T00:00:00.000Z | Libreswan notified of the issue via [email protected] |
| CNA | 2026-06-16T00:00:00.000Z | Advanced notice given to supported customers and distributions |
| CNA | 2026-06-24T00:00:00.000Z | Public announcement and release of libreswan 5.3.1 |
Solutions
CNA: Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org
Workarounds
CNA: If fragmentation is not needed, fragmentation=no can be added to all IKEv2 configurations. If fragmentation is needed, no workaround is possible and the fix needs to be applied.
There are currently no legacy QID mappings associated with this CVE.