CVE-2025-65494
📋 TL;DR
A NULL pointer dereference vulnerability in OISM libcoap's certificate parsing function allows remote attackers to cause denial of service by sending a specially crafted X.509 certificate. This affects systems using libcoap 4.3.5 for CoAP protocol communication with TLS/DTLS enabled. The vulnerability can be triggered by any client or server that presents a malicious certificate during TLS handshake.
💻 Affected Systems
- OISM libcoap
📦 What is this software?
Libcoap by Libcoap
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of libcoap-based applications, causing unavailability of IoT devices, network services, or industrial control systems that rely on CoAP communication.
Likely Case
Service crash or restart of affected libcoap processes, leading to temporary loss of functionality until services are restored.
If Mitigated
Minimal impact with proper network segmentation and certificate validation controls in place.
🎯 Exploit Status
Exploitation requires ability to present a crafted certificate during TLS handshake, which could be achieved through man-in-the-middle attacks or malicious client/server connections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in libcoap 4.3.6 and later
Vendor Advisory: https://github.com/obgm/libcoap/issues/1745
Restart Required: Yes
Instructions:
1. Update libcoap to version 4.3.6 or later. 2. Recompile any applications using libcoap. 3. Restart all services using the updated library.
🔧 Temporary Workarounds
Disable TLS/DTLS in libcoap
allTemporarily disable TLS/DTLS support in libcoap configurations to prevent certificate parsing.
Configure libcoap to use coap:// instead of coaps://
Disable DTLS support in application configuration
Network filtering of malicious certificates
allImplement network-level filtering to block connections with suspicious certificates.
Configure firewall rules to restrict CoAP traffic to trusted sources only
Implement certificate pinning in network security devices
🧯 If You Can't Patch
- Implement strict network segmentation to isolate libcoap services from untrusted networks
- Deploy intrusion prevention systems (IPS) to detect and block crafted certificate attacks
🔍 How to Verify
Check if Vulnerable:
Check libcoap version with: ldd /path/to/libcoap-application | grep libcoap && check version in source or package managerCheck Version:
pkg-config --modversion libcoap-3 || dpkg -l | grep libcoap || rpm -qa | grep libcoapVerify Fix Applied:
Verify libcoap version is 4.3.6 or later and test TLS handshake with various certificates📡 Detection & Monitoring
Log Indicators:
- Segmentation fault or crash logs from libcoap processes
- Unexpected service restarts of CoAP applications
- TLS handshake failures with NULL pointer references
Network Indicators:
- Multiple failed TLS handshakes to CoAP services
- Unusual certificate patterns in CoAP traffic
SIEM Query:
source="*libcoap*" AND ("segmentation fault" OR "NULL pointer" OR "certificate parse error")