Executive Summary

This vulnerability is a null pointer dereference in the add_ca_certs() function of the Cesanta Mongoose library before version 7.2. Specifically, the function calls SSL_CTX_get_cert_store() without checking if it returns NULL. If the SSL context's certificate store is not properly initialized (SSL_CTX_get_cert_store() returns NULL), the code attempts to dereference this NULL pointer, causing a segmentation fault and crashing the application during TLS initialization. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service by crashing the application using the Mongoose library during TLS initialization. Remote attackers can trigger this crash by exploiting the null pointer dereference, leading to a segmentation fault and potentially disrupting service availability. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability manifests as a segmentation fault (crash) during TLS initialization in the Mongoose library when SSL_CTX_get_cert_store() returns NULL. Detection can involve monitoring application logs for crashes or segmentation faults related to TLS initialization. Additionally, running the Mongoose MQTT client in a debug environment with AddressSanitizer or similar memory error detection tools can help identify the NULL pointer dereference. There are no specific network commands provided to detect this vulnerability directly. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the Mongoose library to a version that includes the fix from pull request #3307, merged on October 13, 2025. This patch adds proper NULL pointer checks after SSL_CTX_get_cert_store() to prevent crashes. Until the update can be applied, ensure that TLS initialization code handles potential NULL returns from SSL_CTX_get_cert_store() safely, or consider disabling affected TLS features to avoid triggering the fault. [2]

Useful 0 Not Useful 0