Debian strongSwan Critical Denial of Service Remote Exec DSA-6330-1
debian
June 8, 2026
Elliott Childre identified a vulnerability in strongSwan, an IKE/IPsec suite
Topics Covered
Summary
Upstream lists several mitigations:
- - Servers that don't use EAP or XAuth authentication are not vulnerable to
remote attacks.
- - Servers that use EAP authentication but delegate it to a RADIUS server and
don't request an EAP-Identity themselves are not vulnerable either. However,
note that the `eap-radius` plugin parses `Class` and `Filter-Id` attributes
as group identities if enabled, in which case a rogue RADIUS server is able
to trigger the issue.
- - Servers that use IKEv1 with XAuth are not vulnerable unless they use the
`xauth-eap` plugin.
For the oldstable distribution (bookworm), this problem has been fixed
in version 5.9.8-5+deb12u5.
For the stable distribution (trixie), this problem has been fixed in
version 6.0.1-6+deb13u6.
We recommend that you upgrade your strongswan packages.
For the detailed security status of strongswan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/strongswan
Further information about Debian Security Advisor...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: strongswan
CVE ID: CVE-2026-47895
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!