DoS Vulnerability (CVE‑2026‑35333) in strongSwan 5.9.13 Allows Service Disruption of VPN Gateways
What Happened – A flaw in the eap-radius plugin of strongSwan ≤ 5.9.13 (CVE‑2026‑35333) lets an attacker send a crafted RADIUS Access‑Request containing a zero‑length attribute. The parser enters an infinite loop, pegging a worker thread at 100 % CPU. Repeating the request across multiple threads can exhaust all workers, causing a denial‑of‑service for the VPN service.
Why It Matters for TPRM –
- VPN/IPsec gateways are common third‑party services for remote access, cloud connectivity, and IoT edge sites.
- A DoS can halt business‑critical communications, leading to operational loss and reputational damage.
- The vulnerability is exploitable over the network without authentication, making it a low‑effort, high‑impact vector for attackers targeting supply‑chain partners.
Who Is Affected – Organizations that rely on strongSwan for IPsec/VPN services, including MSPs, cloud‑hosted VPN providers, and enterprises that self‑host strongSwan appliances.
Recommended Actions –
- Verify the version of strongSwan in use; upgrade to 5.9.14 or later where the bug is patched.
- If upgrade is not immediately possible, disable the
eap-radiusplugin or the DAE (Dynamic Authorization Extension) feature. - Review firewall rules to restrict RADIUS traffic to known, authorized sources.
- Incorporate continuous vulnerability scanning for VPN infrastructure in your third‑party risk program.
Technical Notes – The flaw resides in attribute_enumerate() within src/libradius/radius_message.c. A zero‑length attribute prevents the iterator from advancing, causing an underflow and infinite loop on a charon worker thread. The issue is triggered before the Message‑Authenticator check, allowing unauthenticated exploitation. No CVE‑related data leakage is reported; impact is limited to service disruption. Source: Exploit‑DB 52586