CVE-2025-59391

EUVD-2025-201786
A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing an attacker to infer or read memory beyond string boundaries in the .rodata section. This could potentially lead to information disclosure or denial of service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Affected Products (NVD)
VendorProductVersion
libcoaplibcoap
𝑥
< 4.3.5a
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcoap3
bookworm
no-dsa
forky
4.3.5-2
fixed
sid
4.3.5-2
fixed
trixie
4.3.4-1.1+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcoap
bionic
needs-triage
jammy
dne
noble
dne
plucky
dne
questing
dne
libcoap2
focal
needs-triage
jammy
needs-triage
noble
dne
plucky
dne
questing
dne
libcoap3
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
Common Weakness Enumeration
References
https://github.com/obgm/libcoap/pull/1730
https://github.com/obgm/libcoap/releases/tag/v4.3.5a