StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs
Integer underflow in StrongSwan EAP-TTLS parser allows unauthenticated remote DoS.
Summary
A high-severity integer underflow vulnerability in StrongSwan's EAP-TTLS AVP parser affects versions 4.5.0 through 6.0.4 and can be exploited remotely without authentication to crash VPN services. The flaw stems from insufficient validation of AVP length fields, allowing attackers to trigger excessive memory allocation or NULL pointer dereference in the charon IKE daemon. StrongSwan released version 6.0.5 with fixes that add proper AVP length validation during parsing.
Full text
A high-severity vulnerability in StrongSwan’s EAP-TTLS AVP parser could be exploited remotely, without authentication, to take VPN services offline. An open source IPsec VPN solution that provides client and server encryption and authentication, StrongSwan supports Windows, Linux, macOS, Android, and other platforms, and is widely used across enterprise environments. The software supports, among other authentication methods, Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS), which relies on Attribute-Value Pairs (AVPs) to pass authentication data through a TLS tunnel. Last week, StrongSwan warned that all versions from 4.5.0 to 6.0.4 are affected by an integer underflow bug in the EAP-TTLS AVP parser that could be abused to crash the process by supplying crafted AVP data with invalid length fields. “Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon,” a NIST advisory reads. The issue exists because the parser does not check the AVP’s length value, which leads to a 32-bit integer underflow for length values between 0 and 7, StrongSwan explains.Advertisement. Scroll to continue reading. While this leads to resource exhaustion if memory allocation succeeds, allocating large amounts of memory may fail, resulting in a null-pointer dereference and a segmentation fault, it says. According to Bishop Fox, successful exploitation of the flaw requires a two-phase attack, where a malicious packet corrupts the heap and a second packet triggers the segmentation fault, crashing the daemon. The cybersecurity firm discovered that the crash is triggered based on how the system handles the impossibly large allocation request. While in some cases NULL is immediately returned, in others the daemon crashes only when corrupted structures are used in a subsequent request. The vulnerability was addressed in StrongSwan version 6.0.5, which adds the required validation of AVP length values during the parsing operation. Related: Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Related: TP-Link Patches High-Severity Router Vulnerabilities Related: Cisco Patches Multiple Vulnerabilities in IOS Software Related: iOS, macOS 26.4 Roll Out With Fresh Security Patches Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Telnyx Targeted in Growing TeamPCP Supply Chain AttackExploitation of Fresh Citrix NetScaler Vulnerability BeginsF5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the WildCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsOpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router VulnerabilitiesCoruna iOS Exploit Kit Likely an Update to Operation TriangulationHightower Holding Data Breach Impacts 130,000 Latest News Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency EncryptionExploitation of Critical Fortinet FortiClient EMS Flaw BeginsLloyds Data Security Incident Impacts 450,000 IndividualsCritical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Healthcare IT Platform CareCloud Probing Potential Data BreachSilent Drift: How LLMs Are Quietly Breaking Organizational Access ControlHuskeys Emerges From Stealth With $8 Million in FundingRussian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email