CVE-2020-12887
Description
Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in Arm Mbed OS CoAP parser allows repeated allocation of memory for options, leading to memory leaks
Vulnerability
A memory leak vulnerability exists in the CoAP library used by Arm Mbed OS 5.15.3 and the Arm mbed-coap library 5.1.5. In sn_coap_parser_options_parse(), when parsing option number fields from received CoAP packets, the option number is computed as the sum of the previous option number and a delta, both stored as unsigned 16-bit integers. No overflow detection is implemented, so a crafted packet can cause the option number to wrap around and process the same option number multiple times. For options COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, memory is allocated without checking if it has already been allocated. Combining the integer overflow with the lack of allocation checks leads to multiple allocations being assigned to the same pointer, orphaning allocated buffers [1][3].
Exploitation
To exploit this vulnerability, an attacker needs network access to send a specially crafted CoAP message to a device running the vulnerable library. No authentication is required, as the CoAP services typically listen for incoming packets. By carefully constructing the packet with option number fields that cause integer wraparound, the attacker triggers the parser to allocate memory multiple times for options that should only appear once. The sequence of parsing a packet with overlapping option numbers results in multiple malloc calls for the same option pointer, while only the last allocation is stored, causing previous allocations to become unreferenced [1].
Impact
Successful exploitation results in memory leaks, as the orphaned buffers are never freed. This gradually depletes available heap memory, potentially leading to denial of service (DoS) by exhausting device memory. The leak can be as small as 8 bytes per packet but can be repeated to accumulate over time. The confidentiality, integrity, and availability of the device may be affected if memory exhaustion prevents normal operation [1][3].
Mitigation
A fix was implemented by adding a helper function sn_coap_parser_add_u16_limit() that detects 16-bit overflow when adding option deltas, causing the parser to reject crafted packets that would trigger the wrap. Additionally, checks were added in sn_coap_parser_options_parse_multiple_options() to prevent overwriting already-allocated pointers. The fix is included in a commit to the mbed-coap repository [2] and was merged via pull request #116 [4]. Users should update to version of mbed-coap after the commit 4647a68 or to a patched release of Mbed OS (e.g., 5.15.4 or later). No workarounds are available for unpatched versions; blocking untrusted CoAP traffic at the network level can mitigate exploitation but is not a complete solution [1][4].
- Memory leak in MbedOS CoAP library parser - sn_coap_parser_options_parse()
- Implemented measures to prevent memory leaks in sn_coap_parser_option… · mjurczak/mbed-coap@4647a68
- Integer overflow in MbedOS CoAP library parser
- Bugfix/coap parser mem access bugs by mjurczak · Pull Request #116 · PelionIoT/mbed-coap
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Arm/Mbed OSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/ARMmbed/mbed-coap/pull/116mitrex_refsource_CONFIRM
- github.com/ARMmbed/mbed-os/issues/12930mitrex_refsource_MISC
- github.com/ARMmbed/mbed-os/issues/12957mitrex_refsource_MISC
- github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.