Home

Description

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.

PUBLISHED Reserved 2026-06-05 | Published 2026-07-09 | Updated 2026-07-10 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Out-of-bounds Read

Product status

Default status
affected

Any version before 7.22
affected

Credits

Shukhratbek Uraiimov reporter

References

github.com/cesanta/mongoose/releases/tag/7.22 (Mongoose 7.22 Release Notes) release-notes

github.com/cesanta/mongoose (Product) product

github.com/...ommit/c288ac1f38424ffdd4d2fd5e1893fd4962642db3 (Patch Commit) patch

www.vulncheck.com/...-builtin-clienthello-session-id-parsing third-party-advisory

cve.org (CVE-2026-11404)

nvd.nist.gov (CVE-2026-11404)

Download JSON