Nixpkgs security tracker

Untriaged

Permalink CVE-2026-25075

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months ago Activity log

Created suggestion 2 months ago

strongSwan 4.5.0 < 6.0.5 EAP-TTLS AVP Parsing Integer Underflow

strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.

References

https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-2… exploitvendor-advisory
https://www.strongswan.org/blog/2026/03/23/strongswan-6.0.5-released.html release-notes
https://www.vulncheck.com/advisories/strongswan-eap-ttls-avp-parsing-integer-un… third-party-advisory

Affected products

strongSwan

<6.0.5

Matching in nixpkgs

pkgs.strongswan

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.4
- nixpkgs-unstable 6.0.4
- nixos-unstable-small 6.0.4
nixos-25.11 6.0.4
- nixos-25.11-small 6.0.4
- nixpkgs-25.11-darwin 6.0.4

pkgs.strongswanNM

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.4
- nixpkgs-unstable 6.0.4
- nixos-unstable-small 6.0.4
nixos-25.11 6.0.4
- nixos-25.11-small 6.0.4
- nixpkgs-25.11-darwin 6.0.4

pkgs.strongswanTNC

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.4
- nixpkgs-unstable 6.0.4
- nixos-unstable-small 6.0.4
nixos-25.11 6.0.4
- nixos-25.11-small 6.0.4
- nixpkgs-25.11-darwin 6.0.4

pkgs.strongswanTPM

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.4
- nixpkgs-unstable 6.0.4
- nixos-unstable-small 6.0.4
nixos-25.11 6.0.4
- nixos-25.11-small 6.0.4
- nixpkgs-25.11-darwin 6.0.4

pkgs.networkmanager-strongswan

NetworkManager's strongswan plugin

nixos-unstable 1.6.4
- nixpkgs-unstable 1.6.4
- nixos-unstable-small 1.6.4
nixos-25.11 1.6.4
- nixos-25.11-small 1.6.4
- nixpkgs-25.11-darwin 1.6.4

pkgs.networkmanager_strongswan

NetworkManager's strongswan plugin

nixos-unstable 1.6.4
- nixpkgs-unstable 1.6.4
- nixos-unstable-small 1.6.4
nixos-25.11 1.6.4
- nixos-25.11-small 1.6.4
- nixpkgs-25.11-darwin 1.6.4

Dismissed

Permalink CVE-2025-62291

8.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 4 months ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse ignored
4 packages
- strongswanNM
- strongswanTNC
- strongswanTPM
- networkmanager_strongswan
4 months ago
@LeSuisse dismissed 4 months ago

In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a …

In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow.

References

Affected products

strongSwan

<6.0.3

Matching in nixpkgs

pkgs.strongswan

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.3
- nixpkgs-unstable 6.0.3
- nixos-unstable-small 6.0.3

Ignored packages (4)

pkgs.strongswanNM

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.3
- nixpkgs-unstable 6.0.3
- nixos-unstable-small 6.0.3

pkgs.strongswanTNC

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.3
- nixpkgs-unstable 6.0.3
- nixos-unstable-small 6.0.3

pkgs.strongswanTPM

OpenSource IPsec-based VPN Solution

nixos-unstable 6.0.3
- nixpkgs-unstable 6.0.3
- nixos-unstable-small 6.0.3

pkgs.networkmanager_strongswan

NetworkManager's strongswan plugin

nixos-unstable 1.6.2
- nixpkgs-unstable 1.6.2
- nixos-unstable-small 1.6.2

Current stable branch has never been impacted.

https://github.com/NixOS/nixpkgs/commit/d8a0ae9d79b2914faf8864c94e552211284094c5

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.strongswan

pkgs.strongswanNM

pkgs.strongswanTNC

pkgs.strongswanTPM

pkgs.networkmanager-strongswan

pkgs.networkmanager_strongswan

References

Affected products

Matching in nixpkgs

pkgs.strongswan

pkgs.strongswanNM

pkgs.strongswanTNC

pkgs.strongswanTPM

pkgs.networkmanager_strongswan