<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cesanta - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/cesanta/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 16:18:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/cesanta/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-11404: Cesanta Mongoose TLS Out-of-Bounds Read Leading to Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2026-07-cesanta-mongoose-tls-oob-read-dos/</link><pubDate>Thu, 09 Jul 2026 16:18:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cesanta-mongoose-tls-oob-read-dos/</guid><description>Cesanta Mongoose before version 7.22 contains an out-of-bounds read vulnerability (CVE-2026-11404) in its built-in TLS server function, `mg_tls_server_recv_hello()`, allowing a remote, unauthenticated attacker to send a specially crafted TLS ClientHello message with an oversized session ID length, leading to a service crash and denial of service for HTTPS, MQTTS, or WSS services.</description><content:encoded><![CDATA[<p>The Cesanta Mongoose library, specifically versions prior to 7.22, is affected by a critical out-of-bounds read vulnerability, identified as CVE-2026-11404. This flaw resides within the <code>mg_tls_server_recv_hello()</code> function, a core component of its built-in TLS server (MG_TLS_BUILTIN). Attackers can exploit this by sending a single, specially crafted TLS ClientHello message. This malicious ClientHello contains an intentionally oversized <code>session_id_len</code> byte, which the vulnerable function uses as a buffer index without proper validation against the length of the received data. The consequence is an attempt to read memory beyond the allocated receive buffer, leading to a severe application crash. This vulnerability enables a remote, unauthenticated attacker to trigger a denial of service on any HTTPS, MQTTS, or WSS service built using the affected Mongoose library, disrupting critical services. This issue highlights the importance of input validation in network protocol implementations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A remote, unauthenticated attacker initiates a TLS connection to a vulnerable Cesanta Mongoose service (e.g., HTTPS, MQTTS, WSS) that utilizes the MG_TLS_BUILTIN feature.</li>
<li>The attacker sends a specially crafted TLS ClientHello message to the server as part of the TLS handshake.</li>
<li>Within the ClientHello message, the attacker manipulates the <code>session_id_len</code> byte to contain an oversized, invalid value.</li>
<li>The vulnerable <code>mg_tls_server_recv_hello()</code> function in Mongoose processes the ClientHello without adequately validating the <code>session_id_len</code> against the actual length of the received data.</li>
<li>The function attempts to use the oversized <code>session_id_len</code> as a buffer index, resulting in an out-of-bounds read operation past the legitimate boundaries of the receive buffer.</li>
<li>This memory access violation triggers a critical error, causing the Cesanta Mongoose application to crash.</li>
<li>The application crash leads to a denial of service, rendering the affected HTTPS, MQTTS, or WSS service unavailable to legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-11404 leads to a complete denial of service for any internet-facing service utilizing the affected Cesanta Mongoose library with MG_TLS_BUILTIN enabled. Services such as HTTPS, MQTTS, and WSS will crash, becoming unavailable to legitimate users. This can result in significant operational disruption, potential data loss (if not properly handled during the crash), and reputational damage for affected organizations. While the vulnerability is not described as leading to arbitrary code execution or data exfiltration, the ability for an unauthenticated attacker to reliably crash critical services poses a high risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-11404 by upgrading Cesanta Mongoose to version 7.22 or later immediately.</li>
<li>Monitor affected services (HTTPS, MQTTS, WSS) for unexpected restarts or crashes, which could indicate attempted exploitation of this vulnerability.</li>
<li>Implement robust service availability monitoring and alerting for any prolonged outages of applications utilizing Cesanta Mongoose with MG_TLS_BUILTIN.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>tls</category><category>webserver</category><category>firmware</category></item></channel></rss>