CVE-2025-65496 is a vulnerability identified in version 4.3.5 of the OISM libcoap library, which is widely used to implement the Constrained Application Protocol (CoAP) with DTLS security, primarily in IoT and constrained network environments. The issue arises from a NULL pointer dereference in the function coap_dtls_generate_cookie(), located in the source file src/coap_openssl.c. During the DTLS handshake process, the function SSL_get_SSL_CTX() is called to retrieve the SSL context. Under certain crafted handshake conditions, this function can return NULL, which is not properly checked before dereferencing, causing the application to crash or become unresponsive. This results in a denial of service condition, as the affected service or device may fail to process legitimate DTLS connections. The vulnerability requires no privileges and no prior authentication, but does require user interaction in the form of initiating a DTLS handshake. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality or integrity impact, and low availability impact. There are no known exploits in the wild, and no patches have been released at the time of publication. The vulnerability is classified under CWE-476 (NULL Pointer Dereference), a common programming error that can lead to crashes or denial of service. Given libcoap's role in IoT and constrained devices, this vulnerability could disrupt communications in environments relying on secure CoAP messaging.

The primary impact of CVE-2025-65496 is a denial of service condition affecting availability. For European organizations deploying IoT devices, industrial control systems, or other constrained network devices using libcoap 4.3.5 with DTLS security, this vulnerability could cause service interruptions or device crashes when targeted by a malicious actor. While confidentiality and integrity are not directly impacted, the loss of availability could disrupt critical operations, especially in sectors such as manufacturing, energy, smart cities, and healthcare where CoAP is used for device communication. The ease of exploitation (network-based, no privileges required) increases the risk of opportunistic attacks, particularly in environments with exposed or poorly segmented IoT networks. The lack of known exploits currently limits immediate risk, but the absence of patches means organizations must proactively mitigate exposure. Disruptions could lead to operational downtime, financial losses, and potential safety risks if critical systems rely on affected devices.

1. Immediate mitigation involves network-level controls such as filtering or rate-limiting DTLS handshake attempts to reduce exposure to crafted handshake attacks. 2. Segment IoT and constrained device networks from critical infrastructure and limit external access to devices running libcoap. 3. Monitor network traffic for unusual DTLS handshake patterns that may indicate exploitation attempts. 4. Implement robust logging and alerting on devices and gateways using libcoap to detect crashes or service disruptions. 5. Engage with vendors or maintainers of libcoap to obtain patches or updates as soon as they become available; consider upgrading to newer versions if they address this vulnerability. 6. For devices where patching is not immediately possible, consider deploying compensating controls such as redundant systems or failover mechanisms to maintain availability. 7. Conduct thorough inventory and risk assessments to identify all assets using libcoap 4.3.5 and prioritize remediation based on criticality. 8. Educate operational teams about the vulnerability and response procedures to minimize downtime in case of exploitation.