{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/strongswan--5.9.13/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["strongSwan \u003c= 5.9.13"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","radius","strongswan","CVE-2026-35333"],"_cs_type":"advisory","_cs_vendors":["strongSwan"],"content_html":"\u003cp\u003eA denial-of-service (DoS) vulnerability has been identified in strongSwan version 5.9.13 (and earlier) within the eap-radius plugin when the DAE (Dead Anti-Exploit) feature is enabled. The vulnerability, tracked as CVE-2026-35333, stems from how the \u003ccode\u003eattribute_enumerate()\u003c/code\u003e function handles RADIUS messages with zero-length attributes. An attacker can exploit this flaw by sending a specially crafted RADIUS Access-Request containing a zero-length attribute. This triggers an infinite loop within the \u003ccode\u003echaron\u003c/code\u003e process, causing a worker thread to consume 100% CPU. Repeated exploitation can exhaust all available worker threads, effectively denying service to legitimate users. This vulnerability is pre-authentication, meaning an attacker does not need valid credentials to trigger the DoS. Public exploit code is available, increasing the urgency for patching vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a strongSwan instance running version 5.9.13 or earlier with the eap-radius plugin and DAE enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious RADIUS Access-Request packet. The packet contains a User-Name attribute with a length of 0.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted RADIUS Access-Request packet to the strongSwan instance on UDP port 3799 (default).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echaron\u003c/code\u003e daemon receives the packet and processes it via the \u003ccode\u003eattribute_enumerate()\u003c/code\u003e function in \u003ccode\u003esrc/libradius/radius_message.c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the zero-length attribute, the \u003ccode\u003eattribute_enumerate()\u003c/code\u003e function enters an infinite loop, causing a single \u003ccode\u003echaron\u003c/code\u003e worker thread to consume 100% CPU.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple crafted packets to exhaust all available \u003ccode\u003echaron\u003c/code\u003e worker threads.\u003c/li\u003e\n\u003cli\u003eLegitimate RADIUS authentication requests are no longer processed due to the exhaustion of worker threads.\u003c/li\u003e\n\u003cli\u003eThe strongSwan service becomes unavailable, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35333 results in a denial-of-service condition, rendering the strongSwan VPN service unavailable. This can disrupt network access for legitimate users and impact business operations. The vulnerability is pre-authentication, meaning that anyone can trigger the DoS without requiring credentials. There is currently no information available regarding specific sectors targeted or the number of victims affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of strongSwan that addresses CVE-2026-35333 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003echaron.plugins.eap-radius.dae.enable\u003c/code\u003e option in the \u003ccode\u003estrongswan.conf\u003c/code\u003e file as a temporary workaround to mitigate the DoS, as shown in the exploit description.\u003c/li\u003e\n\u003cli\u003eMonitor strongSwan servers for high CPU utilization by \u003ccode\u003echaron\u003c/code\u003e worker threads using tools like \u003ccode\u003eps\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Strongswan CVE-2026-35333 DoS Exploit\u0026rdquo; to identify malicious RADIUS packets targeting the vulnerability in network traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T06:21:31Z","date_published":"2026-05-29T06:21:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-dos/","summary":"A denial-of-service vulnerability exists in strongSwan version 5.9.13 due to a flaw in the eap-radius plugin when built with DAE enabled, allowing remote attackers to exhaust worker threads by sending a crafted RADIUS Access-Request (CVE-2026-35333).","title":"strongSwan 5.9.13 Denial-of-Service Vulnerability (CVE-2026-35333)","url":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["strongSwan \u003c= 5.9.13"],"_cs_severities":["critical"],"_cs_tags":["strongSwan","heap-overflow","eap-sim","eap-aka","CVE-2026-35330","exploit"],"_cs_type":"advisory","_cs_vendors":["strongSwan"],"content_html":"\u003cp\u003eA public remote exploit has been released targeting strongSwan version 5.9.13, specifically exploiting a heap buffer overflow vulnerability (CVE-2026-35330) within the libsimaka EAP-SIM/AKA module. The vulnerability resides in the \u003ccode\u003eparse_attributes()\u003c/code\u003e function in \u003ccode\u003esimaka_message.c\u003c/code\u003e. This function calculates the attribute data length without validating against \u003ccode\u003ehdr-\u0026gt;length == 0\u003c/code\u003e, leading to an integer underflow when \u003ccode\u003ehdr-\u0026gt;length\u003c/code\u003e is 0. This results in a small memory allocation followed by an oversized \u003ccode\u003ememcpy\u003c/code\u003e, triggering a heap buffer overflow. The exploit, identified as EDB-52587, highlights the pre-authentication nature of the vulnerability, as the malicious payload is processed during IKE_AUTH before peer authentication is completed. This vulnerability poses a critical risk to systems running vulnerable strongSwan versions with the EAP-SIM or EAP-AKA plugin enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a malicious IKE_AUTH request to a vulnerable strongSwan server.\u003c/li\u003e\n\u003cli\u003eThe request contains an EAP-SIM/AKA payload crafted to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esimaka_message_create_from_payload()\u003c/code\u003e function processes the received data.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eparse_attributes()\u003c/code\u003e in \u003ccode\u003esimaka_message.c\u003c/code\u003e, the code calculates the attribute data length using \u003ccode\u003ehdr-\u0026gt;length * 4 - 4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003ehdr-\u0026gt;length\u003c/code\u003e is 0, the calculation results in an integer underflow, leading to a large value being used for the size of the data to be copied.\u003c/li\u003e\n\u003cli\u003eThe code allocates a small chunk of memory using \u003ccode\u003emalloc(sizeof(attr_t) + data.len)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn oversized \u003ccode\u003ememcpy\u003c/code\u003e operation is performed, copying data beyond the allocated buffer, leading to a heap buffer overflow.\u003c/li\u003e\n\u003cli\u003eThis overflow can lead to arbitrary code execution, potentially granting the attacker complete control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-35330) allows a remote, unauthenticated attacker to achieve arbitrary code execution on a vulnerable strongSwan server. Given that strongSwan is frequently used to establish VPN connections, successful exploitation could grant an attacker unauthorized access to internal networks and sensitive data. The Exploit-DB entry confirms the exploit\u0026rsquo;s feasibility.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade strongSwan to a version patched against CVE-2026-35330. The fix is available in master \u0026gt;= aa5aaebc33 as referenced in the Exploit-DB entry.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect strongSwan libsimaka Heap Overflow Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring for EAP-SIM/AKA messages with a zero-length attribute, as described in the vulnerability details.\u003c/li\u003e\n\u003cli\u003eApply input validation on EAP-SIM/AKA attribute lengths to prevent the integer underflow, addressing the root cause described in the exploit details.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T06:21:15Z","date_published":"2026-05-29T06:21:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-heap-overflow/","summary":"A remote exploit is available for strongSwan 5.9.13 exploiting a heap buffer overflow in the libsimaka EAP-SIM/AKA module (CVE-2026-35330), enabling pre-authentication exploitation via a malformed EAP-SIM/AKA payload.","title":"strongSwan 5.9.13 libsimaka EAP-SIM/AKA Heap Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — StrongSwan \u003c= 5.9.13","version":"https://jsonfeed.org/version/1.1"}