IKEv2 Denial of Service via malformed fragmentation
An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.
Vendor-assessed severity. The daemon automatically restarts after the crash, requiring continued exploitation for sustained denial of service.
Impacts
CAPEC ID
Description
Solutions
Upgrade to libreswan 5.3.1 or later. Patches for libreswan 4.15 and 5.3 are available at https://libreswan.org
Configurations
Workarounds
If fragmentation is not needed, fragmentation=no can be added to all IKEv2 configurations. If fragmentation is needed, no workaround is possible and the fix needs to be applied.
Exploits
Credits
finder
Hu Xinyao
Timeline
Event
Date
Libreswan notified of the issue via security@libreswan.org
2026-06-16 00:00:00
Advanced notice given to supported customers and distributions
2026-06-16 00:00:00
Public announcement and release of libreswan 5.3.1
2026-06-24 00:00:00
Event: Libreswan notified of the issue via security@libreswan.org
Date:2026-06-16 00:00:00
Event: Advanced notice given to supported customers and distributions
Date:2026-06-16 00:00:00
Event: Public announcement and release of libreswan 5.3.1