CVE-2025-34468

CRITICAL

libcoap <= 4.3.5 - Stack-based Buffer Overflow in Address Resolution

Title source: llm
STIX 2.1

Description

libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

Scores

CVSS v3 9.8
EPSS 0.0064
EPSS Percentile 46.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-121 CWE-787
Status published
Products (2)
libcoap/libcoap < 4.3.5 (2 CPE variants)
libcoap/libcoap 30db3eaa1f0464722ebea2ca2d5084aebfbd344d
Published Dec 31, 2025
Tracked Since Feb 18, 2026