Cyber Resilience

CVE-2026-29013

HighUpdated

Published: 17 April 2026

Published
17 April 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29013 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Libcoap Libcoap. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed…

more

OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause out-of-bounds reads through integer wraparound in allocation size computation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

OOB read in public CoAP/OSCORE handler directly enables remote exploitation of a network-facing service via crafted requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

libcoap
libcoap
≤ 4.3.5b

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References