Share
## https://sploitus.com/exploit?id=0F297FD2-C6A2-51B1-B10F-AEE514905678
# CVE-2026-35333

strongSwan RADIUS attribute-iterator pre-auth infinite loop / remote DoS.

## Description

`attribute_enumerate()` in `src/libradius/radius_message.c:247-271`
accepts RADIUS attributes whose `length` byte is smaller than
`sizeof(rattr_t)` (2). For `length == 0`:

- `data->len = next->length - sizeof(rattr_t)` underflows to `(size_t)-2`
- `this->left -= next->length` is `left -= 0` โ€” counter never decreases
- `this->next += next->length` is `next += 0` โ€” pointer never advances

The enumerator returns the same bogus attribute every iteration,
hanging the caller's `while (enumerate(...))` loop.

The DAE receive callback in `eap_radius_dae.c` calls
`request->verify(..., NULL, secret, ...)` before dispatching on the
RADIUS code. For `code == Access-Request`, `verify()` skips the
Response-Authenticator MD5 check and walks the attribute enumerator
to find `Message-Authenticator` โ€” so the zero-length attribute traps
the parser **before** the shared secret is checked. The attack is
unauthenticated.

One UDP packet pegs a charon worker thread at 100% CPU forever.
Repeat N times to exhaust all N worker threads.

Affected: strongSwan  --port 3799
```

## Requirements

- Target: strongSwan charon with `eap-radius` plugin loaded and
  `dae.enable = yes` (UDP/3799 listener)
- Attacker: network reachability to UDP/3799, Python 3 (stdlib only)

## References

- https://github.com/strongswan/strongswan/commit/e067d24293
- https://nvd.nist.gov/vuln/detail/CVE-2026-35333

## Legal Notice

This project is released under the GNU GPLv3.

It is provided for defensive security research, education, and authorized
testing. Do not use this code against systems or services without explicit
permission from the owner.

Unauthorized use may violate applicable law. The authors do not grant permission
to test third-party systems and are not responsible for misuse.

See the LICENSE file for warranty and liability terms.