CVE-2026-11404 PUBLISHED

Cesanta Mongoose < 7.22 Out-of-Bounds Read in MG_TLS_BUILTIN ClientHello Session ID Parsing

Assigner: VulnCheck
Reserved: 05.06.2026 Published: 09.07.2026 Updated: 09.07.2026

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Cesanta
Product Mongoose
Versions Default: affected
  • affected from 0 to 7.22 (excl.)

Credits

  • Shukhratbek Uraiimov reporter

References

Problem Types

  • Out-of-bounds Read CWE