CVE-2026-6986

Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification

Assigner: VulDB
Reserved: 24.04.2026 Published: 25.04.2026 Updated: 25.04.2026

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	High	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.0

CVSS Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
CVSS Score: 2.6

Access Vector	Network	Confidentiality Impact	None
Access Complexity	High	Integrity Impact	Partial
Authentication	None	Availability Impact	None

CVSS 2.0

Product Status

Vendor	Cesanta
Product	Mongoose
Versions	Version 7.0 is affected Version 7.1 is affected Version 7.2 is affected Version 7.3 is affected Version 7.4 is affected Version 7.5 is affected Version 7.6 is affected Version 7.7 is affected Version 7.8 is affected Version 7.9 is affected Version 7.10 is affected Version 7.11 is affected Version 7.12 is affected Version 7.13 is affected Version 7.14 is affected Version 7.15 is affected Version 7.16 is affected Version 7.17 is affected Version 7.18 is affected Version 7.19 is affected Version 7.20 is affected Version 7.21 is unaffected

Vendor

Cesanta

Product

Mongoose

Versions

Version 7.0 is affected
Version 7.1 is affected
Version 7.2 is affected
Version 7.3 is affected
Version 7.4 is affected
Version 7.5 is affected
Version 7.6 is affected
Version 7.7 is affected
Version 7.8 is affected
Version 7.9 is affected
Version 7.10 is affected
Version 7.11 is affected
Version 7.12 is affected
Version 7.13 is affected
Version 7.14 is affected
Version 7.15 is affected
Version 7.16 is affected
Version 7.17 is affected
Version 7.18 is affected
Version 7.19 is affected
Version 7.20 is affected
Version 7.21 is unaffected

Credits

dwbruijn (VulDB User) reporter
VulDB CNA Team coordinator

References

Problem Types