<Vulnerability name="CVE-2026-50721">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-24T00:00:00</PublicDate>
    <Bugzilla id="2494147" url="https://bugzilla.redhat.com/show_bug.cgi?id=2494147" xml:lang="en:us">
librenswan: IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-347</CWE>
    <Details xml:lang="en:us" source="Mitre">
Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Libreswan's implementation of IKEv1 authentication via raw RSA signatures. When processing an IKEv1 packet using PKCS #1 v1.5 RSA encryption, the RSA_authenticate_hash_signature_raw_rsa() function fails to properly validate the length of the authentication hash. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted IKEv1 packet containing a shorter-than-expected hash payload. This triggers an assertion failure within the Libreswan daemon, causing it to crash and restart, leading to a persistent Denial of Service (DoS) condition if malicious packets are continuously transmitted.

Additionally, if the target system relies on RSA keys with weak public exponents (e.g., e=3), a Bleichenbacher-style signature forgery attack may be feasible, potentially allowing the attacker to bypass authentication entirely.
    </Details>
    <Statement xml:lang="en:us">
Red Hat Product Security rates this as having an Moderate security impact, because this vulnerability directly affects the availability of Libreswan VPN gateways utilizing legacy IKEv1 tunnels. IKEv1 is not default in modern RHEL; modern profiles enforce IKEv2. Because the crash occurs during the unauthenticated phase of the IKE negotiation, any exposed Libreswan service (server or client) accepting standard IKEv1 connections via the default (authby=rsasig) option is vulnerable to the Denial of Service aspect of this flaw.   

Additionally, the risk of the authentication bypass vector is mitigated to low on Red Hat Enterprise Linux due to system-wide Crypto-Policies that strictly disallow the generation and use of keys with weak public exponents. This completely neutralizes the worst-case Authentication Bypass and Impersonation vectors for CVE-2026-50721, confining the threat strictly to a DoS process crash.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this vulnerability, consider the following strategic workarounds if upgrading Libreswan immediately is not viable:

- Migrate to IKEv2: Disable IKEv1 entirely and migrate all connections to IKEv2. The vulnerable code path is tied specifically to IKEv1’s rigid handling of PKCS#1 v1.5 RSA-SHA1.

- Switch to Pre-Shared Keys (PSK): Additionally, if the configuration is for static tunnels, and not for a group of Remote Access VPN Clients, the authentication can be changed to use PSK via "authby=secret" after coordination with the remote peer.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9::fastdatapath">
        <ProductName>Fast Datapath for RHEL 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libreswan</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-50721
https://nvd.nist.gov/vuln/detail/CVE-2026-50721
https://libreswan.org/security/CVE-2026-50721/
https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt
https://lists.libreswan.org/archives/list/swan-announce@lists.libreswan.org/thread/7BZBYREBGXFPS4TSWOZX37WABRZVLK74/
    </References>
</Vulnerability>