Bug 2450414 (CVE-2026-25075)

Summary: CVE-2026-25075 strongSwan: strongSwan: Denial of Service via integer underflow in EAP-TTLS AVP parser
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in strongSwan. An unauthenticated remote attacker can exploit an integer underflow vulnerability in the EAP-TTLS AVP (Attribute-Value Pair) parser. By sending specially crafted AVP data with invalid length fields during IKEv2 (Internet Key Exchange version 2) authentication, the attacker can trigger excessive memory allocation or a NULL pointer dereference. This ultimately leads to a Denial of Service (DoS) by crashing the charon IKE daemon.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2450652, 2450653, 2450654    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-23 19:02:07 UTC 
strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.