CVE-2026-29013 Overview
libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation.
Critical Impact
This vulnerability enables remote attackers to exploit out-of-bounds read conditions and potentially trigger heap buffer overflow writes through network-accessible CoAP endpoints, potentially leading to information disclosure, denial of service, or memory corruption in IoT and constrained network environments.
Affected Products
- libcoap (versions with vulnerable OSCORE CBOR handling)
Discovery Timeline
- 2026-04-17 - CVE CVE-2026-29013 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-29013
Vulnerability Analysis
This vulnerability is classified as an Out-of-Bounds Read (CWE-125) affecting the libcoap library's OSCORE implementation. The core issue lies in the get_byte_inc() function within src/oscore/oscore_cbor.c, which performs CBOR (Concise Binary Object Representation) parsing for OSCORE Appendix B.2 operations. The function relies exclusively on assert() statements for bounds validation—a practice that creates a significant security gap because these assertions are compiled out in production release builds when the NDEBUG preprocessor flag is defined.
The vulnerability manifests during the processing of OSCORE options in CoAP requests and responses. When malformed CBOR data is supplied, the parser continues reading beyond allocated buffer boundaries, exposing sensitive memory contents or causing application crashes. Additionally, the vulnerability can lead to heap buffer overflow writes through integer wraparound conditions in allocation size computations, further expanding the potential attack surface.
Root Cause
The root cause is improper input validation where security-critical bounds checking is implemented using assert() macros instead of runtime validation that persists in release builds. When libcoap is compiled with NDEBUG (standard for production releases), all assert() calls become no-ops, effectively removing all bounds checking from the CBOR parsing routines. This leaves the application vulnerable to buffer over-reads and potential heap corruption when processing attacker-controlled input.
Attack Vector
An attacker can exploit this vulnerability remotely over the network by sending specially crafted CoAP requests containing malformed OSCORE options. The attack does not require authentication and can be executed with low complexity. The attacker constructs CoAP messages with malicious CBOR-encoded OSCORE payloads designed to trigger the out-of-bounds read condition during OSCORE negotiation or message processing. This can lead to information disclosure from heap memory, denial of service through application crashes, or potentially more severe memory corruption through the integer wraparound vulnerability in allocation size computation.
The security patch addresses null pointer checks and proper bounds validation in the PDU handling code:
memcpy(entry->pdu, pdu, offsetof(coap_pdu_t, token));
memcpy(entry->pdu->token, pdu->token, pdu->used_size);
/* And adjust all the pointers etc. */
- entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token);
+ if (pdu->data)
+ entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token);
}
}
entry->cache_key = coap_cache_derive_key(session, pdu, session_based);
Source: GitHub Commit for libcoap
Additionally, the PDU resize function was updated with improved bounds checking:
int
coap_pdu_resize(coap_pdu_t *pdu, size_t new_size) {
if (new_size > pdu->alloc_size) {
+ /* Expanding the PDU usage */
#if !defined(WITH_LWIP)
uint8_t *new_hdr;
size_t offset;
#endif
+
if (pdu->max_size && new_size > pdu->max_size) {
coap_log_warn("coap_pdu_resize: pdu too big\n");
return 0;
Source: GitHub Commit for libcoap
Detection Methods for CVE-2026-29013
Indicators of Compromise
- Unexpected application crashes in libcoap-based services with stack traces pointing to oscore_cbor.c or CBOR parsing functions
- Memory corruption errors or segmentation faults during CoAP message processing
- Anomalous CoAP traffic patterns with malformed OSCORE option headers targeting IoT gateways or constrained devices
- Increased memory read errors or address sanitizer violations in development/testing environments
Detection Strategies
- Deploy network intrusion detection rules to identify malformed CoAP packets with suspicious OSCORE option structures
- Monitor CoAP endpoints for abnormally large or malformed CBOR payloads in OSCORE negotiation messages
- Implement application-level logging to capture OSCORE processing failures and CBOR parsing errors
- Use memory safety tools (AddressSanitizer, Valgrind) in testing environments to identify out-of-bounds access attempts
Monitoring Recommendations
- Enable verbose logging on CoAP gateways and servers to capture detailed information about OSCORE option processing
- Set up alerts for repeated CoAP message processing failures from single source addresses
- Monitor system resource utilization for signs of exploitation attempts causing memory exhaustion or crashes
- Implement packet capture on CoAP endpoints for forensic analysis capability
How to Mitigate CVE-2026-29013
Immediate Actions Required
- Update libcoap to the latest patched version containing commit b7847c4dbb0dbee7c90b09a673d4cae256f03718
- If immediate patching is not possible, consider temporarily disabling OSCORE functionality if not required for operations
- Implement network-level filtering to restrict CoAP access to trusted sources only
- Review and audit all applications built with libcoap for proper error handling around CBOR parsing
Patch Information
The vulnerability has been addressed in the libcoap GitHub commit. This patch adds proper null pointer validation and improves bounds checking in PDU handling routines. Organizations should update to a libcoap version that includes this security fix.
Workarounds
- Restrict network access to CoAP services using firewall rules to limit exposure to trusted networks only
- Consider compiling libcoap without NDEBUG in security-sensitive deployments to retain assert-based checks (note: this impacts performance)
- Implement application-level input validation before passing data to libcoap OSCORE processing functions
- Deploy a reverse proxy or CoAP gateway that performs protocol validation before forwarding to backend libcoap services
# Example firewall rules to restrict CoAP access
# Allow CoAP (UDP 5683) only from trusted network
iptables -A INPUT -p udp --dport 5683 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 5683 -j DROP
# Allow CoAP over DTLS (UDP 5684) only from trusted network
iptables -A INPUT -p udp --dport 5684 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 5684 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
