PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50721 The Libreswan Project CVE debrief

A variation of the Bleichenbacher attack can be used to forge SIG payloads in Libreswan when small public exponents are used, potentially leading to impersonation. A remote attacker can also trigger a denial-of-service by encoding a shorter than expected hash in the SIG payload. The attack is limited to IKEv1 packets encoded using PKCS #1 RSA Encryption as per RFC 2313. Users of Libreswan should verify their configurations and ensure proper mitigations are in place. The CVE record and NVD entry provide additional context for understanding the vulnerability.

Vendor
The Libreswan Project
Product
libreswan
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-07
Advisory published
2026-07-02
Advisory updated
2026-07-07

Who should care

Users of Libreswan, particularly those using IKEv1 with small public exponents, should verify their configurations and ensure proper mitigations are in place. This includes updating Libreswan to the latest version, verifying IKEv1 configurations for small public exponents, and implementing compensating controls to detect and prevent Bleichenbacher attacks. Security teams and vulnerability management teams should also review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The Libreswan implementation did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. This allows for a variation of the Bleichenbacher attack, potentially leading to impersonation when small public exponents are used. Additionally, encoding a shorter than expected hash in the SIG payload can trigger an assertion, leading to a denial-of-service. The vulnerability is limited to IKEv1 packets and does not affect X.509 certificate verifications of remote IKE peers.

Defensive priority

High priority should be given to updating Libreswan to mitigate the Bleichenbacher attack and denial-of-service vulnerabilities. Security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Recommended defensive actions

  • Update Libreswan to the latest version
  • Verify IKEv1 configurations for small public exponents
  • Implement compensating controls to detect and prevent Bleichenbacher attacks
  • Monitor for unusual SIG payload lengths
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-02T22:16:43.367Z and was last modified on 2026-07-07T18:16:39.147Z. The NVD entry is currently Undergoing Analysis. Evidence is limited, and defenders should verify the official CVE record and NVD entry for the latest information. The Libreswan implementation did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. This allows for a variation of the Bleichenbacher attack, potentially leading to impersonation when small public exponents are used. Additionally, encoding a shorter than expected hash in the SIG payload can trigger an assertion, leading to a denial-of-service.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T22:16:43.367Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.