# strongSwan 6.0.5 fixes CVE-2026-25075 vulnerability

_Friday, June 26, 2026 at 6:20 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_

![strongSwan 6.0.5 fixes CVE-2026-25075 vulnerability — Primary](https://www.strongswan.org/images/strongswan_square_large.png)

strongSwan released version 6.0.5 to fix a vulnerability in the eap-ttls plugin. The plugin did not check the length field in the header of attribute-value pairs tunneled in EAP-TTLS. This omission could cause a 32-bit integer underflow when the parsed length value fell between 0 and 7.

An unauthenticated attacker could exploit the flaw by sending a crafted message. The resulting allocation of roughly 4 GiB of memory might fail and lead to a null-pointer dereference and crash. All strongSwan versions since 4.5.0 were affected.

CVE-2026-25075 was assigned to the issue. Remote code execution is not possible. Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported the bug after responsible disclosure.

Clients and servers that do not use EAP-TTLS authentication are not vulnerable. Servers that terminate EAP-TTLS on a RADIUS server are also unaffected. A patch for older releases is available and applies with appropriate hunk offsets.

## Sources

- [strongSwan](https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html)

---
Canonical: https://techandbusiness.org/newswire/dwShKCC5FBZlnWiQ1QPtcZ
Retrieved: 2026-06-27T04:14:13.717Z
Publisher: Tech & Business (techandbusiness.org)