Out-of-Bounds Read in Cesanta Mongoose TLS Server Function
CVE-2026-11404
8.7HIGH
What is CVE-2026-11404?
Cesanta Mongoose versions prior to 7.22 are affected by an out-of-bounds read vulnerability in the mg_tls_server_recv_hello() function. This issue arises when an attacker crafts a ClientHello message with an excessively large session_id_len byte, causing the TLS server to read beyond the allocated buffer. Such exploitation could lead to inadvertent crashes of services utilizing HTTPS, MQTTS, or WSS protocols powered by the built-in MG_TLS capability.
Affected Version(s)
Mongoose 0
