CVE-2026-2967
Improper Source Verification in Cesanta Mongoose TCP Handler
Publication date: 2026-02-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cesanta | mongoose | to 7.20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-940 | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2967 is a security vulnerability in Cesanta Mongoose versions up to 7.20, specifically in the getpeer function of the /src/net_builtin.c file within the TCP Sequence Number Handler component.
The vulnerability arises because the function improperly verifies the source of incoming TCP communication by matching TCP segments only based on port pairs, ignoring the source IP address. This allows an attacker to send a forged TCP reset (RST) packet with the correct port pair but any source IP and sequence number to forcibly terminate arbitrary TCP connections.
This behavior violates RFC 5961, which is designed to improve TCP robustness against blind in-window attacks, making the system susceptible to remote attacks that can disrupt TCP sessions without authentication.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to remotely disrupt TCP connections managed by the Cesanta Mongoose server.
Because the vulnerability allows forged TCP reset packets to terminate arbitrary TCP sessions, it can lead to denial of service or availability issues for applications relying on these connections.
The attack does not require authentication and can be initiated remotely, although the complexity is high and exploitability is difficult.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves improper validation of TCP reset (RST) packets in Cesanta Mongoose's TCP/IP stack, allowing an attacker to forcibly terminate TCP sessions by sending forged TCP RST packets with correct port pairs but arbitrary source IP addresses and sequence numbers."}, {'type': 'paragraph', 'content': 'Detection on your network or system would involve monitoring for unusual or unexpected TCP RST packets that cause abrupt termination of TCP connections, especially those where the source IP address does not match expected communication peers.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools such as tcpdump or Wireshark to capture and analyze TCP traffic. For example, the following tcpdump command can help capture TCP RST packets:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> 'tcp[tcpflags] & tcp-rst != 0'"}, {'type': 'paragraph', 'content': 'Review captured packets for RST packets that do not correspond to legitimate connection endpoints or that appear suspicious in timing or source IP.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or patches available from the vendor for this vulnerability, as the vendor did not respond to early notifications.
Immediate mitigation steps include replacing the affected Cesanta Mongoose component (versions up to 7.20) with an alternative product or a fixed version if available in the future.
Additionally, network-level protections such as filtering or blocking suspicious TCP RST packets from untrusted sources may help reduce the risk of exploitation.