Description

libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

Related CPE's

Could not find any relations

References

https://github.com/obgm/libcoap/commit/30db3ea

https://github.com/obgm/libcoap/pull/1737

https://libcoap.net/

https://www.vulncheck.com/advisories/libcoap-stack-based-buffer-overflow-in-address-resolution-dos-or-potential-rce

Weaknesses

[email protected]

Primary
CWE-121

CVSS impact metrics

Missing metrics for CVSS V

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Awaiting analysis

Published

2025-12-31T19:15:43.923

2 hours ago

Last modified

2025-12-31T20:42:15.637

1 hour ago