PatchSiren cyber security CVE debrief
CVE-2026-50721 The Libreswan Project CVE debrief
A variation of the Bleichenbacher attack can be used to forge SIG payloads in Libreswan when small public exponents are used, potentially leading to impersonation. A remote attacker can also trigger a denial-of-service by encoding a shorter than expected hash in the SIG payload. The attack is limited to IKEv1 packets encoded using PKCS #1 RSA Encryption as per RFC 2313. Users of Libreswan should verify their configurations and ensure proper mitigations are in place. The CVE record and NVD entry provide additional context for understanding the vulnerability.
- Vendor
- The Libreswan Project
- Product
- libreswan
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-02
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-02
- Advisory updated
- 2026-07-07
Who should care
Users of Libreswan, particularly those using IKEv1 with small public exponents, should verify their configurations and ensure proper mitigations are in place. This includes updating Libreswan to the latest version, verifying IKEv1 configurations for small public exponents, and implementing compensating controls to detect and prevent Bleichenbacher attacks. Security teams and vulnerability management teams should also review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The Libreswan implementation did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. This allows for a variation of the Bleichenbacher attack, potentially leading to impersonation when small public exponents are used. Additionally, encoding a shorter than expected hash in the SIG payload can trigger an assertion, leading to a denial-of-service. The vulnerability is limited to IKEv1 packets and does not affect X.509 certificate verifications of remote IKE peers.
Defensive priority
High priority should be given to updating Libreswan to mitigate the Bleichenbacher attack and denial-of-service vulnerabilities. Security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Recommended defensive actions
- Update Libreswan to the latest version
- Verify IKEv1 configurations for small public exponents
- Implement compensating controls to detect and prevent Bleichenbacher attacks
- Monitor for unusual SIG payload lengths
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-02T22:16:43.367Z and was last modified on 2026-07-07T18:16:39.147Z. The NVD entry is currently Undergoing Analysis. Evidence is limited, and defenders should verify the official CVE record and NVD entry for the latest information. The Libreswan implementation did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. This allows for a variation of the Bleichenbacher attack, potentially leading to impersonation when small public exponents are used. Additionally, encoding a shorter than expected hash in the SIG payload can trigger an assertion, leading to a denial-of-service.
Official resources
-
CVE-2026-50721 CVE record
CVE.org
-
CVE-2026-50721 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
d42dc95b-23f1-4e06-9076-20753a0fb0df
-
Source reference
d42dc95b-23f1-4e06-9076-20753a0fb0df
-
Source reference
d42dc95b-23f1-4e06-9076-20753a0fb0df
-
Source reference
d42dc95b-23f1-4e06-9076-20753a0fb0df
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T22:16:43.367Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.