Haruto Kimura reported a bug in the constraints plugin related to the processing of X.509 name constraints that can allow authentication with certificates that violate the constraints.
Accepting Certificates Violating Name Constraints
The constraints plugin validates name constraints case-sensitive, which allows intermediate CA to issue certificates with identities that violate excluded name constraints by varying the case. As regular identity matching is case-insensitive, such certificates will then be accepted during the authentication. Affected are all strongSwan versions since 4.5.1.
CVE-2026-35331 has been assigned for this vulnerability.
Case-sensitive Matching for Name Constraints in constraints Plugin
The constraints plugin enforces various constraints imposed by specific X.509 extensions. So called "name constraints" enforced by the plugin allow a CA to restrict the identities for which sub-CAs may issue certificates. There can either be permitted name constraints (whitelist), allowing only identities that match one of the constraints, or excluded name constraints (blacklist), that disallow certain identities.
When matching subject distinguished names (DN) or subjectAltName extensions (SAN) of a certificate, the plugin used case-sensitive matching. That's unlike the regular identity matching performed by strongSwan, which is case-insensitive for most relative DNs (RDNs) and SANs and violates RFC 5280. So a constraint for e.g. strongswan.org wouldn't be matched to vpn.strongSwan.org by the plugin. This is fine for permitted name constraints, it is just more strict than necessary. However, it's devastating for excluded name constraints as sub-CAs can easily evade the constraints imposed by the parent CA(s).
The patch changes the matching for SANs so the case is ignored. However, for DNs the situation is more complex because we currently only support binary-matching for RDNs of type UTF8String. This strictness is again fine for normal matching and permitted name constraints, but without the preparation/normalization described in RFC 5280, section 7.1, a rogue sub-CA could again easily violate excluded name constraints. For this reason, the patch changes the plugin to reject excluded name constraints for DNs completely.
Remote code execution is not possible due to this issue.
As mentioned in the introduction, credit to Haruto Kimura (Stella) for finding this vulnerability and reporting it responsibly.
Mitigation
PKIs that don't use name constraints or only permitted name constraints are not vulnerable.
The just released strongSwan 6.0.6 fixes this vulnerability. For older releases, we provide patches that fix the vulnerability and should apply with appropriate hunk offsets.