Out-of-Bounds Read in Cesanta Mongoose TLS Server Function
CVE-2026-11404

8.7HIGH

Key Information:

Vendor

Cesanta

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-11404?

Cesanta Mongoose versions prior to 7.22 are affected by an out-of-bounds read vulnerability in the mg_tls_server_recv_hello() function. This issue arises when an attacker crafts a ClientHello message with an excessively large session_id_len byte, causing the TLS server to read beyond the allocated buffer. Such exploitation could lead to inadvertent crashes of services utilizing HTTPS, MQTTS, or WSS protocols powered by the built-in MG_TLS capability.

Affected Version(s)

Mongoose 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Shukhratbek Uraiimov
.