new file mode 100644
@@ -0,0 +1,55 @@
+From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <research@johannes-moeller.dev>
+Date: Wed, 11 Mar 2026 16:07:10 +0000
+Subject: libsimaka: Reject zero-length EAP-SIM/AKA attributes
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
+AT_RAND, AT_PADDING, default branches. The code then subtracts the
+fixed attribute header size from the encoded length, which underflows
+and exposes a wrapped payload length to later code. In particular,
+for the cases where add_attribute() is called, this causes a heap-based
+buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
+length is written). For AT_PADDING, the underflow is irrelevant as
+add_attribute() is not called. Instead, this results in an infinite loop.
+
+Reject zero-length attributes before subtracting the attribute header.
+
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA")
+Fixes: CVE-2026-35330
+
+CVE: CVE-2026-35330
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Patch is refreshed as per the source code version 5.9.13
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
+index 6706568..4862048 100644
+--- a/src/libsimaka/simaka_message.c
++++ b/src/libsimaka/simaka_message.c
+@@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
+ case AT_ENCR_DATA:
+ case AT_RAND:
+ {
+- if (hdr->length * 4 > in.len || in.len < 4)
++ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
+ {
+ return invalid_length(hdr->type);
+ }
+@@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
+ case AT_PADDING:
+ default:
+ {
+- if (hdr->length * 4 > in.len || in.len < 4)
++ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
+ {
+ return invalid_length(hdr->type);
+ }
+@@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier,
+ return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)),
+ crypto);
+ }
+-
@@ -1,4 +1,5 @@
SRC_URI += "\
file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
+ file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
"