CVE-2026-29013

Low

Low Medium High Critical

CVSS Score

Published: Apr 17, 2026

Last Modified: Apr 17, 2026

Vulnerability Description

libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation.

References & Resources

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-125 Top 25 #11

Out-of-bounds Read

Description: The product reads data past the end, or before the beginning, of the intended buffer.
Typical Severity: High
Abstraction Level: Base

View CWE Details on MITRE

Key Information

Published Date: April 17, 2026

External Resources

NIST NVD

National Vulnerability Database

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages