CVE-2026-50722

Public on 2026-07-02
Modified on 2026-07-06
Description
Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.0
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core NetworkManager-libreswan Not Affected
Amazon Linux 2 - Core libreswan Pending Fix
Amazon Linux 2023 libreswan Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H