CVE Catalog

CVE-2026-58465

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.56%

42th percentile — higher than 42% of all known CVEs

Summary

Eclipse Wakaama before snapshot/2026-05-26 has an unbounded memory allocation vulnerability in the CoAP Block1 handler in coap/block.c. An unauthenticated remote attacker can send a sequence of Block1 PUT requests with incrementing block numbers, causing repeated reallocation of an accumulation buffer without size limit, leading to server memory exhaustion.

Risk Assessment

An attacker can remotely, without authentication, exhaust server memory by sending Block1 PUT requests to the registration endpoint over UDP, resulting in denial of service (DoS) and potential service outage.

Recommendation

Immediately update Eclipse Wakaama to snapshot/2026-05-26 or later, which includes a fix that enforces a maximum total size limit for the accumulation buffer in CoAP block handling.

Original NVD description (English source)

Eclipse Wakaama before snapshot/2026-05-26 contains an unbounded memory allocation vulnerability in the CoAP Block1 handler within coap/block.c that allows unauthenticated remote attackers to exhaust server memory by sending a sequence of Block1 PUT requests with incrementing block numbers. Attackers can target the registration endpoint over UDP without authentication, causing the server to repeatedly reallocate a growing accumulation buffer by appending each block payload without enforcing any maximum total size limit, resulting in denial of service through memory exhaustion.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS