VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 18, 2021· Updated Aug 4, 2024

CVE-2021-41990

CVE-2021-41990

Description

An integer overflow in strongSwan's gmp plugin allows remote denial-of-service via a crafted RSASSA-PSS certificate signature.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An integer overflow in strongSwan's gmp plugin allows remote denial-of-service via a crafted RSASSA-PSS certificate signature.

Vulnerability

An integer overflow vulnerability exists in the gmp plugin of strongSwan versions from 5.6.1 up to (but not including) 5.9.4 [1]. The bug occurs when processing RSASSA-PSS signatures in X.509 certificates. The plugin parses the salt length from the signature's AlgorithmIdentifier parameters into a size_t variable used in a chunk_t length field. The formula em.len < (hash.len + salt.len + 2) (from RFC 8017) is used to verify the signature structure; if a very large salt length (e.g., 2^64-1) is provided, an integer overflow bypasses this check [1]. The overflowed salt length is later used in a memcpy() call, causing a segmentation fault [1].

Exploitation

An attacker can trigger the vulnerability by sending a crafted certificate with an RSASSA-PSS signature containing an extremely large salt length [1]. The certificate does not need to be trusted by the victim but must be signed by a private key the attacker controls (so that the signature padding check passes) [1]. Because both the x509 and openssl plugins validate self-signed certificates, an attacker acting as an IKE initiator can send an unrelated self-signed CA certificate with the malicious signature to trigger the crash in the peer's strongSwan daemon [1]. No authentication or special network position beyond the ability to initiate an IKE connection is required [1].

Impact

Successful exploitation causes a denial-of-service (DoS) via segmentation fault in the strongSwan daemon [1][2]. Remote code execution is not possible due to the nature of the overflow [1]. The crash disrupts VPN services and may require restarting the daemon or host [1].

Mitigation

StrongSwan version 5.9.4, released on 2021-10-18, fixes the integer overflow by adding proper bounds checking [1][2]. Users should upgrade to 5.9.4 or later [2]. If upgrading is not immediately possible, disabling the gmp plugin (or unloading it via load_modular configuration) can prevent exploitation [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.

References

[1] strongSwan blog - CVE-2021-41990 [2] strongSwan release 5.9.4

References
  1. strongSwan - strongSwan Vulnerability (CVE-2021-41990)
  2. Release strongSwan 5.9.4 · strongswan/strongswan

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

7

News mentions

0

No linked articles in our index yet.