Description
An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.
Problem types
Product status
4.6 (semver)
5.3.1 (semver)
Timeline
| 2026-06-16: | Libreswan notified of the issue via security@libreswan.org |
| 2026-06-16: | Advanced notice given to supported customers and distributions |
| 2026-06-24: | Public announcement and release of libreswan 5.3.1 |
Credits
Hu Xinyao
References
libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt (Libreswan Security Advisory)
libreswan.org/security/CVE-2026-12413/ (Libreswan CVE-2026-12413 Patches)