PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25075 strongSwan CVE debrief

A vulnerability was found in strongSwan versions 4.5.0 prior to 6.0.5. This issue is an integer underflow in the EAP-TTLS AVP parser, which allows unauthenticated remote attackers to cause a denial of service. The vulnerability is triggered by sending crafted AVP data with invalid length fields during IKEv2 authentication. Unaffected versions have addressed this vulnerability. Users should review their deployments and update to version 6.0.5 or later.

Vendor
strongSwan
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-23
Original CVE updated
2026-07-14
Advisory published
2026-03-23
Advisory updated
2026-07-14

Who should care

Users of strongSwan versions 4.5.0 through 6.0.4 should be aware of this vulnerability. The vulnerability allows unauthenticated remote attackers to cause a denial of service. Affected operators should review their deployments and update to version 6.0.5 or later. Vulnerability management and security teams should prioritize this update based on the HIGH CVSS score of 8.7.

Technical summary

The integer underflow vulnerability in the EAP-TTLS AVP parser of strongSwan versions 4.5.0 prior to 6.0.5 allows unauthenticated remote attackers to cause a denial of service. This is achieved by sending crafted AVP data with invalid length fields during IKEv2 authentication, which can trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon. The vulnerability has been addressed in version 6.0.5.

Defensive priority

High

Recommended defensive actions

  • Inventory and update strongSwan to version 6.0.5 or later
  • Implement compensating controls such as monitoring for suspicious IKEv2 authentication attempts
  • Exception tracking for potential false positives
  • Retest affected systems after applying updates
  • Review official advisories for specific guidance
  • Monitor for exposure and prioritize updates based on CVSS score
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-03-23T19:16:39.313Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope or impact of this vulnerability. Defenders should verify affected systems and review official advisories for specific guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-23T19:16:39.313Z and has not been modified since then. The NVD entry is currently Deferred.