HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

DoS Vulnerability (CVE‑2026‑35333) in strongSwan 5.9.13 Allows Service Disruption of VPN Gateways

A network‑level denial‑of‑service bug (CVE‑2026‑35333) in strongSwan ≤ 5.9.13’s eap‑radius plugin lets an unauthenticated attacker exhaust VPN worker threads with a crafted RADIUS packet. The issue impacts any organization using strongSwan for IPsec/VPN services and requires immediate mitigation for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

DoS Vulnerability (CVE‑2026‑35333) in strongSwan 5.9.13 Allows Service Disruption of VPN Gateways

What Happened – A flaw in the eap-radius plugin of strongSwan ≤ 5.9.13 (CVE‑2026‑35333) lets an attacker send a crafted RADIUS Access‑Request containing a zero‑length attribute. The parser enters an infinite loop, pegging a worker thread at 100 % CPU. Repeating the request across multiple threads can exhaust all workers, causing a denial‑of‑service for the VPN service.

Why It Matters for TPRM

  • VPN/IPsec gateways are common third‑party services for remote access, cloud connectivity, and IoT edge sites.
  • A DoS can halt business‑critical communications, leading to operational loss and reputational damage.
  • The vulnerability is exploitable over the network without authentication, making it a low‑effort, high‑impact vector for attackers targeting supply‑chain partners.

Who Is Affected – Organizations that rely on strongSwan for IPsec/VPN services, including MSPs, cloud‑hosted VPN providers, and enterprises that self‑host strongSwan appliances.

Recommended Actions

  • Verify the version of strongSwan in use; upgrade to 5.9.14 or later where the bug is patched.
  • If upgrade is not immediately possible, disable the eap-radius plugin or the DAE (Dynamic Authorization Extension) feature.
  • Review firewall rules to restrict RADIUS traffic to known, authorized sources.
  • Incorporate continuous vulnerability scanning for VPN infrastructure in your third‑party risk program.

Technical Notes – The flaw resides in attribute_enumerate() within src/libradius/radius_message.c. A zero‑length attribute prevents the iterator from advancing, causing an underflow and infinite loop on a charon worker thread. The issue is triggered before the Message‑Authenticator check, allowing unauthenticated exploitation. No CVE‑related data leakage is reported; impact is limited to service disruption. Source: Exploit‑DB 52586

📰 Original Source
https://www.exploit-db.com/exploits/52586

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →