strongSwan 5.9.13 Denial-of-Service Vulnerability (CVE-2026-35333)

hello@craftedsignal.io — Fri, 29 May 2026 06:21:31 +0000

A denial-of-service (DoS) vulnerability has been identified in strongSwan version 5.9.13 (and earlier) within the eap-radius plugin when the DAE (Dead Anti-Exploit) feature is enabled. The vulnerability, tracked as CVE-2026-35333, stems from how the attribute_enumerate() function handles RADIUS messages with zero-length attributes. An attacker can exploit this flaw by sending a specially crafted RADIUS Access-Request containing a zero-length attribute. This triggers an infinite loop within the charon process, causing a worker thread to consume 100% CPU. Repeated exploitation can exhaust all available worker threads, effectively denying service to legitimate users. This vulnerability is pre-authentication, meaning an attacker does not need valid credentials to trigger the DoS. Public exploit code is available, increasing the urgency for patching vulnerable systems.

Attack Chain

The attacker identifies a strongSwan instance running version 5.9.13 or earlier with the eap-radius plugin and DAE enabled.
The attacker crafts a malicious RADIUS Access-Request packet. The packet contains a User-Name attribute with a length of 0.
The attacker sends the crafted RADIUS Access-Request packet to the strongSwan instance on UDP port 3799 (default).
The charon daemon receives the packet and processes it via the attribute_enumerate() function in src/libradius/radius_message.c.
Due to the zero-length attribute, the attribute_enumerate() function enters an infinite loop, causing a single charon worker thread to consume 100% CPU.
The attacker sends multiple crafted packets to exhaust all available charon worker threads.
Legitimate RADIUS authentication requests are no longer processed due to the exhaustion of worker threads.
The strongSwan service becomes unavailable, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-35333 results in a denial-of-service condition, rendering the strongSwan VPN service unavailable. This can disrupt network access for legitimate users and impact business operations. The vulnerability is pre-authentication, meaning that anyone can trigger the DoS without requiring credentials. There is currently no information available regarding specific sectors targeted or the number of victims affected.

Recommendation

Upgrade to a patched version of strongSwan that addresses CVE-2026-35333 to remediate the vulnerability.
Disable the charon.plugins.eap-radius.dae.enable option in the strongswan.conf file as a temporary workaround to mitigate the DoS, as shown in the exploit description.
Monitor strongSwan servers for high CPU utilization by charon worker threads using tools like ps to detect potential exploitation attempts.
Deploy the Sigma rule “Detect Strongswan CVE-2026-35333 DoS Exploit” to identify malicious RADIUS packets targeting the vulnerability in network traffic.

strongSwan 5.9.13 libsimaka EAP-SIM/AKA Heap Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 29 May 2026 06:21:15 +0000

A public remote exploit has been released targeting strongSwan version 5.9.13, specifically exploiting a heap buffer overflow vulnerability (CVE-2026-35330) within the libsimaka EAP-SIM/AKA module. The vulnerability resides in the parse_attributes() function in simaka_message.c. This function calculates the attribute data length without validating against hdr->length == 0, leading to an integer underflow when hdr->length is 0. This results in a small memory allocation followed by an oversized memcpy, triggering a heap buffer overflow. The exploit, identified as EDB-52587, highlights the pre-authentication nature of the vulnerability, as the malicious payload is processed during IKE_AUTH before peer authentication is completed. This vulnerability poses a critical risk to systems running vulnerable strongSwan versions with the EAP-SIM or EAP-AKA plugin enabled.

Attack Chain

An attacker sends a malicious IKE_AUTH request to a vulnerable strongSwan server.
The request contains an EAP-SIM/AKA payload crafted to trigger the vulnerability.
The simaka_message_create_from_payload() function processes the received data.
Inside parse_attributes() in simaka_message.c, the code calculates the attribute data length using hdr->length * 4 - 4.
If hdr->length is 0, the calculation results in an integer underflow, leading to a large value being used for the size of the data to be copied.
The code allocates a small chunk of memory using malloc(sizeof(attr_t) + data.len).
An oversized memcpy operation is performed, copying data beyond the allocated buffer, leading to a heap buffer overflow.
This overflow can lead to arbitrary code execution, potentially granting the attacker complete control of the system.

Impact

Successful exploitation of this vulnerability (CVE-2026-35330) allows a remote, unauthenticated attacker to achieve arbitrary code execution on a vulnerable strongSwan server. Given that strongSwan is frequently used to establish VPN connections, successful exploitation could grant an attacker unauthorized access to internal networks and sensitive data. The Exploit-DB entry confirms the exploit’s feasibility.

Recommendation

Upgrade strongSwan to a version patched against CVE-2026-35330. The fix is available in master >= aa5aaebc33 as referenced in the Exploit-DB entry.
Deploy the Sigma rule “Detect strongSwan libsimaka Heap Overflow Attempt” to identify potential exploitation attempts by monitoring for EAP-SIM/AKA messages with a zero-length attribute, as described in the vulnerability details.
Apply input validation on EAP-SIM/AKA attribute lengths to prevent the integer underflow, addressing the root cause described in the exploit details.

StrongSwan <= 5.9.13 — CraftedSignal Threat Feed

strongSwan 5.9.13 Denial-of-Service Vulnerability (CVE-2026-35333)

Attack Chain

Impact

Recommendation

strongSwan 5.9.13 libsimaka EAP-SIM/AKA Heap Buffer Overflow Vulnerability

Attack Chain

Impact

Recommendation