CVE-2025-34468

CriticalPublic PoC

Published: 31 December 2025

Published

31 December 2025

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 61.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger…

a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identifying, reporting, and remediating the stack-based buffer overflow flaw in libcoap by applying the vendor patch from commit 30db3ea.

CM-7 Least Functionality good match

prevent

Restricts system to least functionality by disabling unnecessary proxy logic in libcoap applications, preventing the vulnerable address resolution code path from being triggered.

SI-10 Information Input Validation good match

prevent

Mandates validation of attacker-controlled hostname inputs with bounds checking before processing in libcoap's address resolution, directly countering the lack of bounds checking that causes the buffer overflow.

Security SummaryAI

CVE-2025-34468 is a stack-based buffer overflow vulnerability in the libcoap library, affecting versions up to and including 4.3.5 prior to commit 30db3ea. The flaw occurs in the address resolution functionality, where attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking, leading to CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write) conditions. Applications using libcoap with the proxy logic enabled are susceptible, as exploitation requires triggering the proxy request handling code path.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying malicious hostname data, the attacker can cause a denial-of-service crash or, depending on compiler options and runtime memory protections, potentially achieve remote code execution.

Mitigation involves updating to libcoap versions incorporating commit 30db3ea, available via the project's GitHub repository (https://github.com/obgm/libcoap/commit/30db3ea) and associated pull request (https://github.com/obgm/libcoap/pull/1737). Additional details are provided in the official libcoap site (https://libcoap.net/) and VulnCheck advisory (https://www.vulncheck.com/advisories/libcoap-stack-based-buffer-overflow-in-address-resolution-dos-or-potential-rce), which recommend disabling proxy features if patching is not immediately feasible.

Details

CWE(s): CWE-121 CWE-787

Affected Products

libcoap

≤ 4.3.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in libcoap's public-facing proxy/address resolution enables remote unauthenticated exploitation for DoS or potential RCE on affected applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/obgm/libcoap/commit/30db3ea
Patch · disclosure@vulncheck.com
https://github.com/obgm/libcoap/pull/1737
Issue Tracking · disclosure@vulncheck.com
https://libcoap.net/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/libcoap-stack-based-buffer-overflow-in-address-resolution-dos-or-potential-rce
Third Party Advisory · disclosure@vulncheck.com