CVE-2025-34468
published 2025-12-31CVE-2025-34468: libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.64%
45.9th percentile
libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libcoap3 | — | — |
| libcoap | libcoap | <= 4.3.5 | — |
| msrc | azl3_libcap_2.69-10_on_azure_linux_3.0 | — | — |
| msrc | azl3_libcap_2.69-12_on_azure_linux_3.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is a stack-based buffer overflow in libcoap's address resolution code path, triggered when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without bounds checking. Detection should focus on oversized hostname fields in CoAP proxy requests. ↗
- →Exploitation is only possible when the proxy logic is enabled in the libcoap-based application. Audit and monitor applications using libcoap with proxy request handling enabled as a priority target. ↗
- →Vulnerable versions are libcoap 4.3.5 and earlier, prior to commit 30db3ea. Inventory and flag any deployments running libcoap <= 4.3.5 without the patch commit applied. ↗
- ·The overflow and potential RCE outcome is conditional on compiler options and runtime memory protections (e.g., stack canaries, ASLR, NX). Environments compiled without these mitigations are at higher risk of RCE rather than just DoS/crash. ↗
- ·The vulnerable code path is only reachable when proxy functionality is explicitly enabled in the application using libcoap. Applications not using the proxy request handling code path are not exploitable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.2HIGH
vendor_msrc9.8CRITICAL
vendor_debian8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rj9f-6c28-qf6x: libcoap versions up to and including 4
ghsa_unreviewed·2025-12-31
CVE-2025-34468 [HIGH] CWE-121 GHSA-rj9f-6c28-qf6x: libcoap versions up to and including 4
libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).
OSV
CVE-2025-34468: libcoap versions up to and including 4
osv·2025-12-31·CVSS 8.2
CVE-2025-34468 [HIGH] CVE-2025-34468: libcoap versions up to and including 4
libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).
Microsoft
libcoap Stack-Based Buffer Overflow in Address Resolution DoS or Potential RCE
vendor_msrc·2025-12-09·CVSS 9.8
CVE-2025-34468 [HIGH] CWE-121 libcoap Stack-Based Buffer Overflow in Address Resolution DoS or Potential RCE
libcoap Stack-Based Buffer Overflow in Address Resolution DoS or Potential RCE
Mariner: Mariner
VulnCheck: VulnCheck
Customer Action Required: Yes
Debian
CVE-2025-34468: libcoap3 - libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a s...
vendor_debian·2025·CVSS 8.2
CVE-2025-34468 [HIGH] CVE-2025-34468: libcoap3 - libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a s...
libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).
Scope: local
bookworm: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution [fedora-42]
bugzilla·2026-01-01·CVSS 8.2
CVE-2025-34468 [HIGH] CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution [fedora-42]
CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-0ce923a09d (libcoap-4.3.5b-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-
Bugzilla
CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution [fedora-43]
bugzilla·2026-01-01·CVSS 8.2
CVE-2025-34468 [HIGH] CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution [fedora-43]
CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-0ce923a09d (libcoap-4.3.5b-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-
Wiz
CVE-2025-34468 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-34468 [HIGH] CVE-2025-34468 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-34468 :
NixOS vulnerability analysis and mitigation
libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).
Source : NVD
## 8.2
Score
Published December 31, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
NixOS
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
2025-12-31
Published