cbcvebase.
CVE-2025-34468
published 2025-12-31

CVE-2025-34468: libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.64%
45.9th percentile
libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

Affected

4 ranges
VendorProductVersion rangeFixed in
debianlibcoap3
libcoaplibcoap<= 4.3.5
msrcazl3_libcap_2.69-10_on_azure_linux_3.0
msrcazl3_libcap_2.69-12_on_azure_linux_3.0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is a stack-based buffer overflow in libcoap's address resolution code path, triggered when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without bounds checking. Detection should focus on oversized hostname fields in CoAP proxy requests.
  • Exploitation is only possible when the proxy logic is enabled in the libcoap-based application. Audit and monitor applications using libcoap with proxy request handling enabled as a priority target.
  • Vulnerable versions are libcoap 4.3.5 and earlier, prior to commit 30db3ea. Inventory and flag any deployments running libcoap <= 4.3.5 without the patch commit applied.
  • ·The overflow and potential RCE outcome is conditional on compiler options and runtime memory protections (e.g., stack canaries, ASLR, NX). Environments compiled without these mitigations are at higher risk of RCE rather than just DoS/crash.
  • ·The vulnerable code path is only reachable when proxy functionality is explicitly enabled in the application using libcoap. Applications not using the proxy request handling code path are not exploitable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.2HIGH
vendor_msrc9.8CRITICAL
vendor_debian8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.