<Vulnerability name="CVE-2026-12413">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-24T00:00:00</PublicDate>
    <Bugzilla id="2494149" url="https://bugzilla.redhat.com/show_bug.cgi?id=2494149" xml:lang="en:us">
librenswan: IKEv2 Denial of Service via malformed fragmentation
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-193</CWE>
    <Details xml:lang="en:us" source="Mitre">
An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md-&gt;digest_roof &lt; elemsof(md-&gt;digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Libreswan's IKEv2 fragment reassembly mechanism. When a VPN gateway processes incoming split network packets (fragments) containing unexpected data, an off-by-one boundary validation error triggers an internal program safety check (assertion failure). A remote, unauthenticated attacker can exploit this by sending a specific sequence of malformed IKEv2 fragments to an exposed gateway, causing the Libreswan daemon to immediately crash and restart. While this flaw does not allow data theft or unauthorized system access, a continuous stream of these packets will lead to a persistent Denial of Service (DoS) for legitimate VPN users.
    </Details>
    <Statement xml:lang="en:us">
Red Hat Product Security rates this vulnerability as having an Important impact, primarily because it can be exploited remotely without authentication. However, the actual exposure depends entirely on your specific VPN configuration:

```
Affected Configurations: This vulnerability only impacts IKEv2 connections. By default, Libreswan enables packet fragmentation (fragmentation=yes) to handle large encryption keys over restrictive network paths. Any default IKEv2 tunnel that do not set fragmentation=no are vulnerable.

Unaffected Configurations: IKEv1 connections are completely unaffected by this flaw.

```

```
Crucially, this vulnerability does not impact environments running Libreswan versions 4.5 and older. The vulnerable fragment reassembly engine was introduced during a major codebase refactor in version 4.6. As a result, older product branches—such as those shipped in rhel-6, rhel-7, rhel-8.6.z and prior do not contain the flawed code path and are inherently immune to this attack.

```
    </Statement>
    <Mitigation xml:lang="en:us">
If upgrading to Libreswan is not an option, you can mitigate the vulnerability by disabling IKEv2 fragment processing:

Add the following directive to your global or connection-specific configuration files in /etc/ipsec.conf: ```fragmentation=no```

Warning: Disabling fragmentation may cause larger IKEv2 payloads (such as those carrying large X.509 certificate chains) to be dropped by intermediate network routers if they exceed the path MTU.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9::fastdatapath">
        <ProductName>Fast Datapath for RHEL 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-12413
https://nvd.nist.gov/vuln/detail/CVE-2026-12413
https://libreswan.org/security/CVE-2026-12413/
https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt
https://lists.libreswan.org/archives/list/swan-announce@lists.libreswan.org/thread/7BZBYREBGXFPS4TSWOZX37WABRZVLK74/
    </References>
</Vulnerability>