FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

strongSwan -- Double-free when destroying certain cloned identities that can lead to remote code execution

Affected packages
4.3.3 <= strongswan < 6.0.7

Details

VuXML ID a207a367-6359-11f1-8c57-000af7b98cf6
Discovery 2026-06-08
Entry 2026-06-08

R. Elliott Childre reports:

The clone() method of the identification_t class doesn't correctly handle identities that have an empty but non-NULL encoding. Both objects will point to the same location, resulting in a double-free once the second object is destroyed. This can lead to a crash and could potentially be exploitable for remote code execution. Affected are all strongSwan versions since 4.3.3.

[source]

References

CVE Name CVE-2026-47895
URL https://www.cve.org/CVERecord?id=CVE-2026-47895

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.