CVE-2026-11404
Received Received - Intake

Out-of-Bounds Read in Cesanta Mongoose TLS Server

Vulnerability report for CVE-2026-11404, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulnCheck

Description

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cesanta mongoose to 7.22 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves an out-of-bounds read triggered by a maliciously crafted TLS ClientHello message with an oversized session_id_len value. Detection would involve monitoring network traffic for unusual or malformed TLS ClientHello packets that specify an abnormally large session ID length.

Since the vulnerability causes crashes in HTTPS, MQTTS, or WSS services built on MG_TLS_BUILTIN, monitoring logs and service stability for unexpected crashes or denial-of-service symptoms can also help detect exploitation attempts.

Specific commands to detect this vulnerability are not provided in the available resources. However, general approaches could include using packet capture tools like tcpdump or Wireshark to filter TLS ClientHello messages and inspect the session_id_len field for unusually large values.

Executive Summary

CVE-2026-11404 is an out-of-bounds read vulnerability in Cesanta Mongoose versions before 7.22. It occurs in the built-in TLS server function mg_tls_server_recv_hello(), which processes the TLS ClientHello message. The vulnerability arises because the function uses an attacker-controlled session_id_len byte as a buffer index without validating it against the actual length of the received data. This allows a remote, unauthenticated attacker to send a specially crafted ClientHello message with an oversized session ID length, causing the function to read beyond the allocated receive buffer.

This out-of-bounds read can lead to a crash of any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN, resulting in a denial-of-service condition.

Impact Analysis

This vulnerability can be exploited remotely by an unauthenticated attacker to cause a denial-of-service (DoS) condition by crashing services that use the affected TLS server function. Specifically, HTTPS, MQTTS, or WSS services built on MG_TLS_BUILTIN in Cesanta Mongoose versions prior to 7.22 are vulnerable.

The impact is a service disruption, which could affect availability of web interfaces, secure MQTT messaging, or secure WebSocket communications relying on the vulnerable TLS implementation.

Mitigation Strategies

The primary mitigation step is to upgrade Cesanta Mongoose to version 7.22 or later, where the vulnerability has been patched.

Until the update can be applied, consider implementing network-level protections such as filtering or blocking suspicious TLS ClientHello messages with abnormally large session ID lengths to prevent exploitation.

Additionally, monitor affected services (HTTPS, MQTTS, WSS) for crashes or denial-of-service conditions that may indicate attempted exploitation.

Compliance Impact

The provided context and resources do not include any information about how CVE-2026-11404 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart