Wakaama
Monthly
Memory-exhaustion denial of service in Eclipse Wakaama (an OMA LwM2M client/server library) before snapshot 2026-05-26 allows unauthenticated remote attackers to crash the server by streaming CoAP Block1 PUT requests. The CoAP Block1 handler in coap/block.c appends each incoming block to a reassembly buffer without capping total size, so an attacker reaching the UDP registration endpoint can force unbounded reallocation until memory is exhausted. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Memory-exhaustion denial of service in Eclipse Wakaama (an OMA LwM2M client/server library) before snapshot 2026-05-26 allows unauthenticated remote attackers to crash the server by streaming CoAP Block1 PUT requests. The CoAP Block1 handler in coap/block.c appends each incoming block to a reassembly buffer without capping total size, so an attacker reaching the UDP registration endpoint can force unbounded reallocation until memory is exhausted. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.