{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35330/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["strongSwan \u003c= 5.9.13"],"_cs_severities":["critical"],"_cs_tags":["strongSwan","heap-overflow","eap-sim","eap-aka","CVE-2026-35330","exploit"],"_cs_type":"advisory","_cs_vendors":["strongSwan"],"content_html":"\u003cp\u003eA public remote exploit has been released targeting strongSwan version 5.9.13, specifically exploiting a heap buffer overflow vulnerability (CVE-2026-35330) within the libsimaka EAP-SIM/AKA module. The vulnerability resides in the \u003ccode\u003eparse_attributes()\u003c/code\u003e function in \u003ccode\u003esimaka_message.c\u003c/code\u003e. This function calculates the attribute data length without validating against \u003ccode\u003ehdr-\u0026gt;length == 0\u003c/code\u003e, leading to an integer underflow when \u003ccode\u003ehdr-\u0026gt;length\u003c/code\u003e is 0. This results in a small memory allocation followed by an oversized \u003ccode\u003ememcpy\u003c/code\u003e, triggering a heap buffer overflow. The exploit, identified as EDB-52587, highlights the pre-authentication nature of the vulnerability, as the malicious payload is processed during IKE_AUTH before peer authentication is completed. This vulnerability poses a critical risk to systems running vulnerable strongSwan versions with the EAP-SIM or EAP-AKA plugin enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a malicious IKE_AUTH request to a vulnerable strongSwan server.\u003c/li\u003e\n\u003cli\u003eThe request contains an EAP-SIM/AKA payload crafted to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esimaka_message_create_from_payload()\u003c/code\u003e function processes the received data.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eparse_attributes()\u003c/code\u003e in \u003ccode\u003esimaka_message.c\u003c/code\u003e, the code calculates the attribute data length using \u003ccode\u003ehdr-\u0026gt;length * 4 - 4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003ehdr-\u0026gt;length\u003c/code\u003e is 0, the calculation results in an integer underflow, leading to a large value being used for the size of the data to be copied.\u003c/li\u003e\n\u003cli\u003eThe code allocates a small chunk of memory using \u003ccode\u003emalloc(sizeof(attr_t) + data.len)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn oversized \u003ccode\u003ememcpy\u003c/code\u003e operation is performed, copying data beyond the allocated buffer, leading to a heap buffer overflow.\u003c/li\u003e\n\u003cli\u003eThis overflow can lead to arbitrary code execution, potentially granting the attacker complete control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-35330) allows a remote, unauthenticated attacker to achieve arbitrary code execution on a vulnerable strongSwan server. Given that strongSwan is frequently used to establish VPN connections, successful exploitation could grant an attacker unauthorized access to internal networks and sensitive data. The Exploit-DB entry confirms the exploit\u0026rsquo;s feasibility.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade strongSwan to a version patched against CVE-2026-35330. The fix is available in master \u0026gt;= aa5aaebc33 as referenced in the Exploit-DB entry.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect strongSwan libsimaka Heap Overflow Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring for EAP-SIM/AKA messages with a zero-length attribute, as described in the vulnerability details.\u003c/li\u003e\n\u003cli\u003eApply input validation on EAP-SIM/AKA attribute lengths to prevent the integer underflow, addressing the root cause described in the exploit details.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T06:21:15Z","date_published":"2026-05-29T06:21:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-heap-overflow/","summary":"A remote exploit is available for strongSwan 5.9.13 exploiting a heap buffer overflow in the libsimaka EAP-SIM/AKA module (CVE-2026-35330), enabling pre-authentication exploitation via a malformed EAP-SIM/AKA payload.","title":"strongSwan 5.9.13 libsimaka EAP-SIM/AKA Heap Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-35330","version":"https://jsonfeed.org/version/1.1"}