{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25075", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-28T21:47:35.121Z", "datePublished": "2026-03-23T18:33:10.952Z", "dateUpdated": "2026-05-06T14:41:06.076Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-04T18:10:36.898Z"}, "title": "strongSwan 4.5.0 < 6.0.5 EAP-TTLS AVP Parsing Integer Underflow", "descriptions": [{"lang": "en", "value": "strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon."}], "datePublic": "2026-03-23T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-191", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}, {"lang": "en", "cweId": "CWE-476", "description": "NULL Pointer Dereference (CWE-476)", "type": "CWE"}]}], "affected": [{"vendor": "strongSwan", "product": "strongSwan", "repo": "https://github.com/strongswan/strongswan", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "6.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "references": [{"url": "https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html", "tags": ["vendor-advisory", "exploit"]}, {"url": "https://www.strongswan.org/blog/2026/03/23/strongswan-6.0.5-released.html", "tags": ["release-notes"]}, {"url": "https://y637f9qq2x.com/posts/cve-2026-25075/", "tags": ["technical-description", "exploit"]}, {"url": "https://www.vulncheck.com/advisories/strongswan-eap-ttls-avp-parsing-integer-underflow", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:29:53.640147Z", "id": "CVE-2026-25075", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-06T14:41:06.076Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00016.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-27T19:17:30.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00016.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-27T19:17:30.660Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:29:53.640147Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:31:24.359Z"}}], "cna": {"title": "strongSwan 4.5.0 < 6.0.5 EAP-TTLS AVP Parsing Integer Underflow", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/strongswan/strongswan", "vendor": "strongSwan", "product": "strongSwan", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "6.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-23T00:00:00.000Z", "references": [{"url": "https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html", "tags": ["vendor-advisory", "exploit"]}, {"url": "https://www.strongswan.org/blog/2026/03/23/strongswan-6.0.5-released.html", "tags": ["release-notes"]}, {"url": "https://y637f9qq2x.com/posts/cve-2026-25075/", "tags": ["technical-description", "exploit"]}, {"url": "https://www.vulncheck.com/advisories/strongswan-eap-ttls-avp-parsing-integer-underflow", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)"}, {"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference (CWE-476)"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-04T18:10:36.898Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25075", "state": "PUBLISHED", "dateUpdated": "2026-05-06T14:41:06.076Z", "dateReserved": "2026-01-28T21:47:35.121Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-23T18:33:10.952Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon."}, {"lang": "es", "value": "Las versiones de strongSwan 4.5.0 anteriores a la 6.0.5 contienen una vulnerabilidad de desbordamiento negativo de enteros en el analizador AVP de EAP-TTLS que permite a atacantes remotos no autenticados causar una denegaci\u00f3n de servicio mediante el env\u00edo de datos AVP manipulados con campos de longitud no v\u00e1lidos durante la autenticaci\u00f3n IKEv2. Los atacantes pueden explotar la falla al validar los campos de longitud AVP antes de la resta para desencadenar una asignaci\u00f3n excesiva de memoria o una desreferenciaci\u00f3n de puntero NULL, provocando la ca\u00edda del demonio IKE charon."}], "id": "CVE-2026-25075", "lastModified": "2026-05-04T19:16:02.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:39.313", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.strongswan.org/blog/2026/03/23/strongswan-6.0.5-released.html"}, {"source": "disclosure@vulncheck.com", "url": "https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/strongswan-eap-ttls-avp-parsing-integer-underflow"}, {"source": "disclosure@vulncheck.com", "url": "https://y637f9qq2x.com/posts/cve-2026-25075/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00016.html"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-476"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0,6.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "strongSwan", "source": "cna", "vendor": "strongSwan"}, "product": "strongswan", "vendor": "strongswan"}], "analysis": {"en": {"generated_at": "2026-03-23T20:24:17.125529+00:00", "value": {"mitigation_remediation": ["Upgrade strongSwan to version 6.0.5 or later."], "summary": {"action": "Immediate Patch", "impact": "Remote denial of service via integer underflow in EAP\u2011TTLS AVP parsing"}, "threat_synthesis": {"affected_systems": "The flaw affects all strongSwan releases prior to 6.0.5, including versions 4.5.0 through 6.0.4. Only installations running these versions are impacted; versions 6.0.5 and later contain the fix.", "description_and_impact": "An integer underflow bug in the EAP\u2011TTLS AVP parser in strongSwan versions 4.5.0 to 6.0.4 allows attackers to send crafted AVP data with invalid length fields during IKEv2 authentication. The failure to validate AVP lengths before subtraction can lead to excessive memory allocation or a null pointer dereference, crashing the charon IKE daemon and resulting in a denial of service. The vulnerability is classified with a CVSS score of 8.7, indicating high severity.", "risk_and_exploitability": "The vulnerability is exploitable remotely by any unauthenticated actor who can connect to the IKEv2 service. Attackers must send specifically crafted EAP\u2011TTLS AVP packets with invalid length fields. No EPSS score is publicly available, and the defect is not listed in the CISA Known Exploited Vulnerabilities catalog, but the CVSS score signals a serious risk if exploited. The lack of a publicly known exploit does not reduce the urgency for patching, as the attack path is straightforward and requires no special credentials."}}}}, "created": "2026-03-24T10:33:21.308747+00:00", "updated": "2026-03-25T20:37:13.671110+00:00", "vendors": ["strongswan", "strongswan$PRODUCT$strongswan"]}