CVE-2026-2966
Insufficient Randomness in Cesanta Mongoose DNS Transaction ID Handler
Publication date: 2026-02-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cesanta | mongoose | to 7.20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-310 | Cryptographic Issues |
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2966 is a vulnerability in Cesanta Mongoose versions up to 7.20, specifically in the DNS Transaction ID handler function mg_sendnsreq located in /src/dns.c. The issue arises because the function generates DNS transaction IDs using a sequential counter that resets to 1 when the pending DNS request list is empty. This results in insufficiently random or predictable transaction IDs.'}, {'type': 'paragraph', 'content': "Because the transaction ID remains constant at 1 for non-overlapping DNS queries, an attacker can spoof DNS responses with nearly 100% reliability without needing to observe prior network traffic. This undermines the DNS protocol's authentication mechanism."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without authentication, but exploitation is considered difficult. A proof-of-concept exploit is publicly available.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to spoof DNS responses by predicting transaction IDs, effectively bypassing DNS authentication.
- The attacker can gain full control over hostname resolution.
- This can lead to man-in-the-middle attacks.
- It can facilitate credential theft.
- Users can be redirected to malicious infrastructure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves predictable DNS transaction IDs generated by the mg_sendnsreq() function in Cesanta Mongoose up to version 7.20. Detection can focus on monitoring DNS traffic for suspicious patterns such as repeated or sequential DNS transaction IDs, especially if transaction IDs remain constant or predictable (e.g., always 1) for non-overlapping DNS queries.'}, {'type': 'paragraph', 'content': 'Network detection can involve capturing DNS request packets and analyzing the transaction ID field for insufficient randomness or repeated values.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this behavior include using packet capture tools like tcpdump or Wireshark to filter DNS traffic and inspect transaction IDs:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> udp port 53 -w dns_traffic.pcap'}, {'type': 'list_item', 'content': 'tshark -r dns_traffic.pcap -Y "dns" -T fields -e dns.id -e ip.src -e ip.dst'}, {'type': 'paragraph', 'content': 'By analyzing the output, you can check if transaction IDs are unusually predictable or constant, indicating the presence of this vulnerability.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
There are no known vendor-provided patches or mitigations for this vulnerability as the vendor did not respond to the disclosure.
Immediate mitigation steps include considering replacing the affected Cesanta Mongoose component with an alternative product that does not suffer from this insufficient randomness issue.
Additionally, network-level mitigations such as filtering or blocking spoofed UDP packets targeting DNS services, implementing network segmentation, and monitoring for suspicious DNS traffic can help reduce the risk of exploitation.