strongSwan EAP-SIM / EAP-AKA attribute parser pre-auth heap buffer overflow via integer underflow.
parse_attributes() in src/libsimaka/simaka_message.c:419 reads TLV
headers whose length byte counts 4-byte words. For the AT_RAND /
AT_ENCR_DATA branch:
if (hdr->length * 4 > in.len || in.len < 4)
return invalid_length(hdr->type);
data = chunk_create(in.ptr + 4, hdr->length * 4 - 4);When hdr->length == 0, hdr->length * 4 - 4 underflows to
(size_t)0xFFFFFFFFFFFFFFFC. The subsequent add_attribute() calls
malloc(sizeof(attr_t) + len) and memcpy(..., data.ptr, len) with
that near-SIZE_MAX length — ASan stops the OOB memcpy inside
libsimaka.so (negative-size-param).
The crash is reached from simaka_message_create_from_payload(...)
followed by msg->parse(msg). No authentication is required; the
EAP-SIM/AKA dispatcher parses the payload before any peer credential
check.
Affected: strongSwan <= 5.9.13. Fixed in upstream master commit
aa5aaebc33 (2026-04-21).
gcc -fsanitize=address -g -O0 poc.c -lsimaka -lstrongswan -o poc
./pocThe PoC links against the installed libsimaka.so and
libstrongswan.so and calls the public API directly. Headers from
the strongSwan development package are required (-I/usr/include is
usually sufficient when libstrongswan-dev is installed).
- Target: strongSwan
libsimaka.so<= 5.9.13 (built from upstream tarball; some distros backport fixes) - Toolchain:
gccwith AddressSanitizer support
- https://www.johannes-moeller.dev/blog/cve-2026-35330-strongswan-libsimaka
- https://github.com/strongswan/strongswan/commit/aa5aaebc33
- https://nvd.nist.gov/vuln/detail/CVE-2026-35330
This project is released under the GNU GPLv3.
It is provided for defensive security research, education, and authorized testing. Do not use this code against systems or services without explicit permission from the owner.
Unauthorized use may violate applicable law. The authors do not grant permission to test third-party systems and are not responsible for misuse.
See the LICENSE file for warranty and liability terms.