CVE-2026-2967
Received Received - Intake
Improper Source Verification in Cesanta Mongoose TCP Handler

Publication date: 2026-02-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2967
EUVD
EUVD-2026-7603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cesanta mongoose to 7.20 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-940 The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2967 is a security vulnerability in Cesanta Mongoose versions up to 7.20, specifically in the getpeer function of the /src/net_builtin.c file within the TCP Sequence Number Handler component.

The vulnerability arises because the function improperly verifies the source of incoming TCP communication by matching TCP segments only based on port pairs, ignoring the source IP address. This allows an attacker to send a forged TCP reset (RST) packet with the correct port pair but any source IP and sequence number to forcibly terminate arbitrary TCP connections.

This behavior violates RFC 5961, which is designed to improve TCP robustness against blind in-window attacks, making the system susceptible to remote attacks that can disrupt TCP sessions without authentication.

Impact Analysis

This vulnerability can impact you by allowing an attacker to remotely disrupt TCP connections managed by the Cesanta Mongoose server.

Because the vulnerability allows forged TCP reset packets to terminate arbitrary TCP sessions, it can lead to denial of service or availability issues for applications relying on these connections.

The attack does not require authentication and can be initiated remotely, although the complexity is high and exploitability is difficult.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves improper validation of TCP reset (RST) packets in Cesanta Mongoose's TCP/IP stack, allowing an attacker to forcibly terminate TCP sessions by sending forged TCP RST packets with correct port pairs but arbitrary source IP addresses and sequence numbers."}, {'type': 'paragraph', 'content': 'Detection on your network or system would involve monitoring for unusual or unexpected TCP RST packets that cause abrupt termination of TCP connections, especially those where the source IP address does not match expected communication peers.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools such as tcpdump or Wireshark to capture and analyze TCP traffic. For example, the following tcpdump command can help capture TCP RST packets:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> 'tcp[tcpflags] & tcp-rst != 0'"}, {'type': 'paragraph', 'content': 'Review captured packets for RST packets that do not correspond to legitimate connection endpoints or that appear suspicious in timing or source IP.'}] [1]

Mitigation Strategies

There are no known countermeasures or patches available from the vendor for this vulnerability, as the vendor did not respond to early notifications.

Immediate mitigation steps include replacing the affected Cesanta Mongoose component (versions up to 7.20) with an alternative product or a fixed version if available in the future.

Additionally, network-level protections such as filtering or blocking suspicious TCP RST packets from untrusted sources may help reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart