Cyber Resilience

CVE-2026-25075

HighPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0101 58.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25075 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Strongswan (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25075 is an integer underflow vulnerability in the EAP-TTLS AVP parser within strongSwan versions 4.5.0 prior to 6.0.5. The issue stems from a failure to validate AVP length fields before performing subtraction operations, affecting the charon IKE daemon. This flaw, associated with CWE-191 (Integer Underflow) and CWE-476 (NULL Pointer Dereference), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Unauthenticated remote attackers can exploit the vulnerability by sending crafted AVP data containing invalid length fields during IKEv2 authentication. Successful exploitation triggers either excessive memory allocation or a NULL pointer dereference, resulting in a denial-of-service condition that crashes the charon daemon.

Advisories recommend upgrading to strongSwan version 6.0.5, which addresses the vulnerability as detailed in the project's release notes and dedicated blog post. Additional guidance appears in analyses from VulnCheck and Debian LTS announcements, emphasizing the patch deployment for affected systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers…

more

can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing strongSwan IKE daemon via crafted EAP-TTLS AVP packets directly enables T1190 for initial access and T1499.004 for DoS via application/system exploitation resulting in daemon crash.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27651Shared CWE-476
CVE-2026-33283Shared CWE-476
CVE-2025-0728Shared CWE-191
CVE-2026-23148Shared CWE-476
CVE-2025-20045Shared CWE-476
CVE-2026-32696Shared CWE-476
CVE-2026-33184Shared CWE-191
CVE-2026-25501Shared CWE-476
CVE-2026-42409Shared CWE-476
CVE-2026-8180Shared CWE-476

Affected Assets

Strongswan
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation by patching strongSwan to version 6.0.5 directly eliminates the integer underflow vulnerability in the EAP-TTLS AVP parser.

prevent

Validates AVP length fields in incoming IKEv2 authentication data to prevent integer underflow leading to excessive memory allocation or NULL pointer dereference.

prevent

Protects system resource availability from denial-of-service attacks that crash the charon IKE daemon via crafted AVP packets.

References