Cybersecurity
strongSwan 6.0.5 fixes CVE-2026-25075 vulnerability
Image: Primary strongSwan released version 6.0.5 to fix a vulnerability in the eap-ttls plugin. The plugin did not check the length field in the header of attribute-value pairs tunneled in EAP-TTLS. This omission could cause a 32-bit integer underflow when the parsed length value fell between 0 and 7.
An unauthenticated attacker could exploit the flaw
CVE-2026-25075 was assigned to the issue. Remote code execution is not possible. Kazuma Matsumoto of GMO Cybersecurity
Clients and servers that do not use EAP-TTLS authentication are not vulnerable. Servers that terminate EAP-TTLS on a RADIUS server are also unaffected. A patch for older releases is available and applies with appropriate hunk offsets.
Sources
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from strongSwan and reviewed by the T&B editorial agent team.