{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mongoose-before-7.22/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-11404"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mongoose (before 7.22)"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","vulnerability","tls","webserver","firmware"],"_cs_type":"advisory","_cs_vendors":["Cesanta"],"content_html":"\u003cp\u003eThe Cesanta Mongoose library, specifically versions prior to 7.22, is affected by a critical out-of-bounds read vulnerability, identified as CVE-2026-11404. This flaw resides within the \u003ccode\u003emg_tls_server_recv_hello()\u003c/code\u003e function, a core component of its built-in TLS server (MG_TLS_BUILTIN). Attackers can exploit this by sending a single, specially crafted TLS ClientHello message. This malicious ClientHello contains an intentionally oversized \u003ccode\u003esession_id_len\u003c/code\u003e byte, which the vulnerable function uses as a buffer index without proper validation against the length of the received data. The consequence is an attempt to read memory beyond the allocated receive buffer, leading to a severe application crash. This vulnerability enables a remote, unauthenticated attacker to trigger a denial of service on any HTTPS, MQTTS, or WSS service built using the affected Mongoose library, disrupting critical services. This issue highlights the importance of input validation in network protocol implementations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA remote, unauthenticated attacker initiates a TLS connection to a vulnerable Cesanta Mongoose service (e.g., HTTPS, MQTTS, WSS) that utilizes the MG_TLS_BUILTIN feature.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted TLS ClientHello message to the server as part of the TLS handshake.\u003c/li\u003e\n\u003cli\u003eWithin the ClientHello message, the attacker manipulates the \u003ccode\u003esession_id_len\u003c/code\u003e byte to contain an oversized, invalid value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003emg_tls_server_recv_hello()\u003c/code\u003e function in Mongoose processes the ClientHello without adequately validating the \u003ccode\u003esession_id_len\u003c/code\u003e against the actual length of the received data.\u003c/li\u003e\n\u003cli\u003eThe function attempts to use the oversized \u003ccode\u003esession_id_len\u003c/code\u003e as a buffer index, resulting in an out-of-bounds read operation past the legitimate boundaries of the receive buffer.\u003c/li\u003e\n\u003cli\u003eThis memory access violation triggers a critical error, causing the Cesanta Mongoose application to crash.\u003c/li\u003e\n\u003cli\u003eThe application crash leads to a denial of service, rendering the affected HTTPS, MQTTS, or WSS service unavailable to legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-11404 leads to a complete denial of service for any internet-facing service utilizing the affected Cesanta Mongoose library with MG_TLS_BUILTIN enabled. Services such as HTTPS, MQTTS, and WSS will crash, becoming unavailable to legitimate users. This can result in significant operational disruption, potential data loss (if not properly handled during the crash), and reputational damage for affected organizations. While the vulnerability is not described as leading to arbitrary code execution or data exfiltration, the ability for an unauthenticated attacker to reliably crash critical services poses a high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-11404 by upgrading Cesanta Mongoose to version 7.22 or later immediately.\u003c/li\u003e\n\u003cli\u003eMonitor affected services (HTTPS, MQTTS, WSS) for unexpected restarts or crashes, which could indicate attempted exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement robust service availability monitoring and alerting for any prolonged outages of applications utilizing Cesanta Mongoose with MG_TLS_BUILTIN.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T16:18:10Z","date_published":"2026-07-09T16:18:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cesanta-mongoose-tls-oob-read-dos/","summary":"Cesanta Mongoose before version 7.22 contains an out-of-bounds read vulnerability (CVE-2026-11404) in its built-in TLS server function, `mg_tls_server_recv_hello()`, allowing a remote, unauthenticated attacker to send a specially crafted TLS ClientHello message with an oversized session ID length, leading to a service crash and denial of service for HTTPS, MQTTS, or WSS services.","title":"CVE-2026-11404: Cesanta Mongoose TLS Out-of-Bounds Read Leading to Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-07-cesanta-mongoose-tls-oob-read-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Mongoose (Before 7.22)","version":"https://jsonfeed.org/version/1.1"}