CVE-2026-47895 — strongSwan: pre-auth double-free in libstrongswan identity cloning, unauthenticated RCE over EAP (patched 6.0.7)
From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →
The strongSwan project disclosed CVE-2026-47895 on 8 June (fixed in 6.0.7): a double-free in the clone() method of identification_t in libstrongswan, caused by checking encoded.len but not encoded.ptr (strongSwan, 2026-06-08.html)). An identity with empty-but-non-NULL binary encoding (e.g. chunk_from_hex() on empty input) makes the original and clone point to the same heap allocation; on glibc — which always returns a unique non-NULL pointer for zero-length malloc() — the double-free fires reliably. The exploitable path is the EAP-Identity exchange: the server clones and stores the supplied identity, and when authentication fails the IKE SA teardown triggers the free, making this reachable pre-authentication against any strongSwan IKEv2 server with EAP enabled (EAP-Identity, EAP-TTLS sub-identity, XAuth xauth-eap). All versions since 4.3.3 are affected; BSI published WID-SEC-2026-1832 (BSI CERT-Bund, 2026-06-09). strongSwan is the canonical Linux IPsec/IKEv2 stack (ETH Zurich lineage) across CH/EU VPN infrastructure. No public PoC or ITW exploitation reported; upgrade to 6.0.7, or temporarily require certificate-only auth.