Vendor
Cesanta Mongoose before version 7.22 contains an out-of-bounds read vulnerability (CVE-2026-11404) in its built-in TLS server function, `mg_tls_server_recv_hello()`, allowing a remote, unauthenticated attacker to send a specially crafted TLS ClientHello message with an oversized session ID length, leading to a service crash and denial of service for HTTPS, MQTTS, or WSS services.