{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/radius/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["strongSwan \u003c= 5.9.13"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","radius","strongswan","CVE-2026-35333"],"_cs_type":"advisory","_cs_vendors":["strongSwan"],"content_html":"\u003cp\u003eA denial-of-service (DoS) vulnerability has been identified in strongSwan version 5.9.13 (and earlier) within the eap-radius plugin when the DAE (Dead Anti-Exploit) feature is enabled. The vulnerability, tracked as CVE-2026-35333, stems from how the \u003ccode\u003eattribute_enumerate()\u003c/code\u003e function handles RADIUS messages with zero-length attributes. An attacker can exploit this flaw by sending a specially crafted RADIUS Access-Request containing a zero-length attribute. This triggers an infinite loop within the \u003ccode\u003echaron\u003c/code\u003e process, causing a worker thread to consume 100% CPU. Repeated exploitation can exhaust all available worker threads, effectively denying service to legitimate users. This vulnerability is pre-authentication, meaning an attacker does not need valid credentials to trigger the DoS. Public exploit code is available, increasing the urgency for patching vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a strongSwan instance running version 5.9.13 or earlier with the eap-radius plugin and DAE enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious RADIUS Access-Request packet. The packet contains a User-Name attribute with a length of 0.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted RADIUS Access-Request packet to the strongSwan instance on UDP port 3799 (default).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echaron\u003c/code\u003e daemon receives the packet and processes it via the \u003ccode\u003eattribute_enumerate()\u003c/code\u003e function in \u003ccode\u003esrc/libradius/radius_message.c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the zero-length attribute, the \u003ccode\u003eattribute_enumerate()\u003c/code\u003e function enters an infinite loop, causing a single \u003ccode\u003echaron\u003c/code\u003e worker thread to consume 100% CPU.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple crafted packets to exhaust all available \u003ccode\u003echaron\u003c/code\u003e worker threads.\u003c/li\u003e\n\u003cli\u003eLegitimate RADIUS authentication requests are no longer processed due to the exhaustion of worker threads.\u003c/li\u003e\n\u003cli\u003eThe strongSwan service becomes unavailable, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35333 results in a denial-of-service condition, rendering the strongSwan VPN service unavailable. This can disrupt network access for legitimate users and impact business operations. The vulnerability is pre-authentication, meaning that anyone can trigger the DoS without requiring credentials. There is currently no information available regarding specific sectors targeted or the number of victims affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of strongSwan that addresses CVE-2026-35333 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003echaron.plugins.eap-radius.dae.enable\u003c/code\u003e option in the \u003ccode\u003estrongswan.conf\u003c/code\u003e file as a temporary workaround to mitigate the DoS, as shown in the exploit description.\u003c/li\u003e\n\u003cli\u003eMonitor strongSwan servers for high CPU utilization by \u003ccode\u003echaron\u003c/code\u003e worker threads using tools like \u003ccode\u003eps\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Strongswan CVE-2026-35333 DoS Exploit\u0026rdquo; to identify malicious RADIUS packets targeting the vulnerability in network traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T06:21:31Z","date_published":"2026-05-29T06:21:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-dos/","summary":"A denial-of-service vulnerability exists in strongSwan version 5.9.13 due to a flaw in the eap-radius plugin when built with DAE enabled, allowing remote attackers to exhaust worker threads by sending a crafted RADIUS Access-Request (CVE-2026-35333).","title":"strongSwan 5.9.13 Denial-of-Service Vulnerability (CVE-2026-35333)","url":"https://feed.craftedsignal.io/briefs/2026-05-strongswan-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Radius","version":"https://jsonfeed.org/version/1.1"}