Description
libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation.
Published: 2026-04-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption via Heap Buffer Overflow
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an out-of-bounds read during CoAP OSCORE CBOR unwrap processing in libcoap. The buggy code uses get_byte_inc without bounds checking when assertions are disabled, allowing an attacker to send a malformed OSCORE option or response to trigger a read beyond allocated memory and, due to integer wraparound in allocation size computation, a heap buffer overflow. This can corrupt memory, potentially enabling code execution or causing a crash, with a primary impact of memory corruption.

Affected Systems

The flaw exists in the libcoap library, any application or device that links to libcoap and enables OSCORE support is potentially affected. No specific product versions are listed, so all releases of libcoap that have not applied the referenced fix are at risk.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity. The EPSS score is not reported, and the vulnerability is not listed in the CISA KEV catalog, so no active exploitation has been documented. The likely attack vector is remote, via network traffic, because CoAP is a network protocol; an attacker must be able to inject crafted CoAP messages that trigger the vulnerability. The absence of a low EPSS score suggests that exploitation is possible but not widespread yet.

Generated by OpenCVE AI on April 18, 2026 at 08:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libcoap to a version that includes the OSCORE CBOR buffer check fix, or apply the patch from the commit referenced in the advisory.
  • If an immediate upgrade is not possible, disable OSCORE support in libcoap or in the application until the fix is applied.
  • Implement network filtering or monitoring to detect and block malformed CoAP messages targeting the OSCORE endpoint, and consider disabling or limiting exposure of CoAP services in environments with critical assets.

Generated by OpenCVE AI on April 18, 2026 at 08:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Libcoap
Libcoap libcoap
Vendors & Products Libcoap
Libcoap libcoap

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation.
Title libcoap Out-of-Bounds Read in OSCORE CBOR Unwrap Handling
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libcoap Libcoap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T16:46:56.223Z

Reserved: 2026-03-03T16:42:01.013Z

Link: CVE-2026-29013

cve-icon Vulnrichment

Updated: 2026-04-20T13:53:39.285Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T22:16:31.063

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-29013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses