Haruto Kimura reported bugs in libstrongswan and the pkcs7 plugin related to the processing of encrypted PKCS#7 containers that can lead to a crash.
NULL-Pointer Dereference When Processing Padding in PKCS#7
The PKCS#5 implementation in libstrongswan and the PKCS#7 implementation in the pkcs7 plugin don't check for zero-length input when checking padding after decryption, which can cause a crash due to a null-pointer dereference. Affected are all strongSwan versions since 5.0.2.
CVE-2026-35329 has been assigned for this vulnerability.
Missing Check for Empty Plaintext When Processing Padding
PKCS#7 (or Cryptographic Message Syntax, CMS) containers contain nested blocks of signed and encrypted data. There are two types of structures defined for encryption. The enveloped-data content type encrypts the data with a random symmetric key that's then encrypted with the public key of the recipient. The encrypted-data content type uses a pre-shared secret to directly encrypt the data. The latter is based on PKCS#5, which is also used to encrypt private keys in PKCS#8 or PKCS#12 containers.
The decryption via PKCS#5 is implemented by the pkcs5_t class in libstrongswan, which was added with 5.1.0, while the pkcs7 plugin handles the decryption of enveloped-data since 5.0.2.
Both schemes use a symmetric cipher to encrypt the data. As these often have a fixed block size, there is usually padding at the end of the decrypted data that has to be removed. The padding consists of a number of bytes (< the block size) that each equals the length of the padding, which therefore can be determined by reading the last byte of the plaintext.
Both implementations use very similar code to verify and remove the padding. Unfortunately, both fail to ensure that there actually is any data to process. This results in a NULL-pointer dereference if an enveloped-data or encrypted-data structure is empty.
This can be triggered by any code path that accepts PKCS#7 or PKCS#5 structures. The most significant one is via IKEv1 CERT payloads, for which type 1 signifies PKCS#7-wrapped X.509 certificates. Support for that was also added with 5.0.2.
Remote code execution is not possible due to this issue.
As mentioned in the introduction, credit to Haruto Kimura (Stella) for finding this vulnerability and the non-constant-time padding validation and reporting it responsibly.
Mitigation
Servers that don't accept IKEv1 connections are not vulnerable to remote attacks.
The just released strongSwan 6.0.6 fixes this vulnerability. For older releases, we provide patches that fix the vulnerability and should apply with appropriate hunk offsets.