Skip to main content

Wakaama

2 CVEs product

Monthly

CVE-2026-58465 HIGH PATCH This Week

Memory-exhaustion denial of service in Eclipse Wakaama (an OMA LwM2M client/server library) before snapshot 2026-05-26 allows unauthenticated remote attackers to crash the server by streaming CoAP Block1 PUT requests. The CoAP Block1 handler in coap/block.c appends each incoming block to a reassembly buffer without capping total size, so an attacker reaching the UDP registration endpoint can force unbounded reallocation until memory is exhausted. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Denial Of Service Wakaama
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2019-9004 HIGH POC This Week

In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wakaama
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Memory-exhaustion denial of service in Eclipse Wakaama (an OMA LwM2M client/server library) before snapshot 2026-05-26 allows unauthenticated remote attackers to crash the server by streaming CoAP Block1 PUT requests. The CoAP Block1 handler in coap/block.c appends each incoming block to a reassembly buffer without capping total size, so an attacker reaching the UDP registration endpoint can force unbounded reallocation until memory is exhausted. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Denial Of Service Wakaama
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wakaama
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy