Skip to main content

Eclipse Wakaama EUVDEUVD-2026-41417

| CVE-2026-58465 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-02 VulnCheck GHSA-95xc-mgc7-g4jq
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity UDP attack with no user interaction; impact is availability-only memory exhaustion, so C:N/I:N/A:H and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 18:50 vuln.today

DescriptionCVE.org

Eclipse Wakaama before snapshot/2026-05-26 contains an unbounded memory allocation vulnerability in the CoAP Block1 handler within coap/block.c that allows unauthenticated remote attackers to exhaust server memory by sending a sequence of Block1 PUT requests with incrementing block numbers. Attackers can target the registration endpoint over UDP without authentication, causing the server to repeatedly reallocate a growing accumulation buffer by appending each block payload without enforcing any maximum total size limit, resulting in denial of service through memory exhaustion.

AnalysisAI

Memory-exhaustion denial of service in Eclipse Wakaama (an OMA LwM2M client/server library) before snapshot 2026-05-26 allows unauthenticated remote attackers to crash the server by streaming CoAP Block1 PUT requests. The CoAP Block1 handler in coap/block.c appends each incoming block to a reassembly buffer without capping total size, so an attacker reaching the UDP registration endpoint can force unbounded reallocation until memory is exhausted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach LwM2M CoAP UDP endpoint
Delivery
Send Block1 PUT with more-blocks flag
Exploit
Stream incrementing block numbers
Execution
Server appends blocks unbounded
Persist
Reassembly buffer grows without limit
Impact
Memory exhausted, server denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to Wakaama's LwM2M/CoAP registration endpoint over UDP (typically port 5683), with the server running a vulnerable version before snapshot/2026-05-26 and accepting CoAP Block1 (block-wise transfer) PUT requests to that endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a credible real-world availability risk against exposed LwM2M servers, though impact is confined to denial of service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on a network path to an exposed LwM2M server sends a stream of CoAP Block1 PUT requests to the UDP registration endpoint, each carrying a payload block with an incrementing block number and the 'more blocks' flag set. Because the server keeps appending each block to a growing reassembly buffer with no total-size cap, sustained sending drives memory allocation until the process is exhausted and the service crashes or becomes unresponsive. …
Remediation Vendor-released patch: upgrade to the Eclipse Wakaama snapshot/2026-05-26 release (https://github.com/eclipse-wakaama/wakaama/releases/tag/snapshots%2F2026-05-26), which incorporates the fix from commit a83f1ca28fa090fbc03c3669fef40daf4f89cd03 and PR #881 (https://github.com/eclipse-wakaama/wakaama/pull/881); because Wakaama is typically embedded as a library, rebuild and redeploy affected firmware/servers against the patched source. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running Eclipse Wakaama and assess external network access to CoAP UDP endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41417 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy