2426524 – (CVE-2025-34468) CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution

Bug 2426524 (CVE-2025-34468) - CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service via stack-based buffer overflow in address resolution

Summary: CVE-2025-34468 libcoap: libcoap: Remote code execution or Denial of Service v...

Keywords:
Status:	NEW
Alias:	CVE-2025-34468
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2426602 2426603
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-31 19:03 UTC by OSIDB Bzimport
Modified:	2026-01-01 10:39 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-31 19:03:08 UTC

libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

Note You need to log in before you can comment on or make changes to this bug.