CVE-2023-41913
Description
strongSwan before 5.9.12 contains a buffer overflow in charon-tkm's DH proxy, enabling unauthenticated RCE via a crafted IKE_SA_INIT message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
strongSwan before 5.9.12 contains a buffer overflow in charon-tkm's DH proxy, enabling unauthenticated RCE via a crafted IKE_SA_INIT message.
Vulnerability
A buffer overflow vulnerability exists in strongSwan's charon-tkm IKE daemon, affecting versions since 5.3.0 and before 5.9.12. The flaw resides in the diffie_hellman_t::set_other_public_value() method (or key_exchange_t::set_public_key() in newer releases), which acts as a proxy for Diffie-Hellman operations between the IKE daemon and the Trusted Key Manager (TKM). A helper function added in version 5.3.0 removed direct validation of DH public values from the KE payload handling, making DH backends responsible for verification. However, charon-tkm's implementation was forgotten and contains an unchecked memcpy() that copies the received DH public value to a fixed 512-byte stack buffer without verifying its length. An attacker can send a specially crafted, unauthenticated IKE_SA_INIT message with a DH public value exceeding this buffer, causing a stack-based buffer overflow (CWE-121). [1][2]
Exploitation
An unauthenticated attacker with network access to a vulnerable strongSwan system can exploit this vulnerability by sending a crafted IKE_SA_INIT message containing an oversized Diffie-Hellman public value. The value's length is only limited by the maximum accepted IKE message size, which defaults to 10,000 bytes. The memcpy() in charon-tkm's proxy function copies this value into a 512-byte stack buffer without bounds checking, triggering a buffer overflow. No prior authentication or user interaction is required [2]. The attack vector is remote over the network protocol port used for IKE (typically UDP 500 or 4500). [2]
Impact
Successful exploitation could allow an unauthenticated remote attacker to achieve arbitrary code execution in the context of the charon-tkm process. This could lead to a full compromise of the affected system, disclosure of sensitive information, or denial of service. The heap-based buffer overflow may be leveraged to overwrite critical data and execute arbitrary code, although specific exploit details are not publicly disclosed. [2]
## Mitigation strongSwan fixed this vulnerability in version 5.9.12 and 6.0.0 (re-released as 6.0.6). Users should upgrade to at least strongSwan 5.9.12 (the last 5.9.x release) or 6.0.6, which includes the patch. No workaround has been published for systems that cannot upgrade. Users of the charon-tkm daemon should prioritize this update. The vulnerability is not currently listed on the CISA KEV catalog. [1][2]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21(expand)+ 1 more
- (no CPE)
- (no CPE)range: >=5.3.0, <5.9.12
- osv-coords19 versionspkg:rpm/opensuse/strongswan&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/strongswan&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/strongswan&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5
< 5.9.11-150400.19.17.2+ 18 more
- (no CPE)range: < 5.9.11-150400.19.17.2
- (no CPE)range: < 5.9.11-150500.5.6.1
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.8.2-150000.4.23.2
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.9.11-150400.19.17.2
- (no CPE)range: < 5.9.11-150500.5.6.1
- (no CPE)range: < 5.9.11-150400.19.17.2
- (no CPE)range: < 5.9.11-150500.5.6.1
- (no CPE)range: < 5.8.2-150000.4.23.2
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.8.2-150000.4.23.2
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.8.2-150200.11.42.2
- (no CPE)range: < 5.9.11-150400.19.17.2
- (no CPE)range: < 5.9.11-150500.5.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.