CVE-2025-65498 is a denial of service vulnerability found in version 4.3.5 of the OISM libcoap library, which is widely used for constrained application protocol (CoAP) implementations, especially in IoT and embedded systems. The vulnerability exists in the coap_dtls_generate_cookie() function located in src/coap_openssl.c. During a DTLS handshake, a crafted packet can cause the OpenSSL function SSL_get_SSL_CTX() to return a NULL pointer. This NULL pointer dereference leads to a crash or abnormal termination of the libcoap process, resulting in denial of service. The flaw can be triggered remotely by an attacker without requiring authentication or user interaction, making it a significant risk for exposed services. Although no CVSS score or patch links are currently available, the vulnerability is publicly disclosed and assigned CVE-2025-65498. The absence of known exploits in the wild suggests it is newly discovered, but the underlying issue is straightforward to exploit given the nature of the NULL pointer dereference during handshake processing. The vulnerability affects any system using libcoap 4.3.5 with DTLS enabled over OpenSSL, which is common in IoT devices, constrained networks, and certain industrial control systems. The impact is primarily denial of service, potentially disrupting communications or device availability.

For European organizations, the primary impact is denial of service on devices or services using libcoap 4.3.5 with DTLS over OpenSSL. This can disrupt IoT device communications, sensor networks, and constrained environment applications, potentially affecting critical infrastructure, industrial automation, and smart city deployments. Service outages could lead to operational downtime, loss of monitoring capabilities, or interruption of automated processes. In sectors like manufacturing, energy, healthcare, and transportation, such disruptions could have cascading effects on safety and efficiency. Since the vulnerability can be exploited remotely without authentication, attackers could target exposed devices or gateways to cause widespread service degradation. The impact on confidentiality and integrity is minimal as the vulnerability does not allow code execution or data leakage, but availability is significantly affected. Organizations relying on libcoap for secure communications should prioritize mitigation to maintain service continuity.

1. Monitor for official patches or updates from the libcoap project and apply them promptly once released. 2. If patches are not yet available, consider disabling DTLS support in libcoap where feasible or restricting access to DTLS endpoints via network segmentation and firewall rules. 3. Deploy intrusion detection/prevention systems (IDS/IPS) capable of identifying and blocking malformed DTLS handshake packets that could trigger the vulnerability. 4. Implement rate limiting on DTLS handshake requests to reduce the risk of denial of service from crafted packets. 5. Conduct network traffic analysis to detect unusual handshake failures or crashes in devices using libcoap. 6. For critical infrastructure, consider deploying redundant systems or failover mechanisms to maintain availability during potential attacks. 7. Engage with device vendors to confirm if their products use libcoap 4.3.5 and request firmware updates or mitigations. 8. Maintain up-to-date asset inventories to identify affected devices and prioritize remediation efforts.