Description
libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause out-of-bounds reads through integer wraparound in allocation size computation.
Published: 2026-04-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds read during CoAP OSCORE CBOR unwrap processing in libcoap. The buggy code uses get_byte_inc without bounds checking when asserts are disabled, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause out-of-bounds reads through integer wraparound in allocation size computation. This can corrupt memory or cause a crash, with a primary impact of memory corruption.

Affected Systems

The flaw exists in the libcoap library, any application or device that links to libcoap and enables OSCORE support is potentially affected. No specific product versions are listed, so all releases of libcoap that have not applied the referenced fix are at risk.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, so no active exploitation has been documented. Based on the description, the likely attack vector is remote via network traffic, as the vulnerability is triggered by crafted CoAP messages sent over the network. The absence of a high EPSS score suggests that exploitation is possible but not widespread yet.

Generated by OpenCVE AI on May 26, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libcoap to a version that includes the OSCORE CBOR buffer check fix, or apply the patch from the commit referenced in the advisory.
  • If an immediate upgrade is not possible, disable OSCORE support in libcoap or in the application until the fix is applied.
  • Implement network filtering or monitoring to detect and block malformed CoAP messages targeting the OSCORE endpoint, and consider disabling or limiting exposure of CoAP services in environments with critical assets.

Generated by OpenCVE AI on May 26, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:libcoap:libcoap:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation. libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause out-of-bounds reads through integer wraparound in allocation size computation.

Mon, 20 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Libcoap
Libcoap libcoap
Vendors & Products Libcoap
Libcoap libcoap

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation.
Title libcoap Out-of-Bounds Read in OSCORE CBOR Unwrap Handling
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libcoap Libcoap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:55.830Z

Reserved: 2026-03-03T16:42:01.013Z

Link: CVE-2026-29013

cve-icon Vulnrichment

Updated: 2026-04-20T13:53:39.285Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T22:16:31.063

Modified: 2026-06-02T16:23:05.707

Link: CVE-2026-29013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:00:13Z

Weaknesses