Skip to main content

Cesanta Mongoose CVE-2026-6985

| EUVDEUVD-2026-25661 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-25 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 29, 2026 - 19:05 vuln.today
Public exploit code
CVSS changed
Apr 25, 2026 - 17:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Apr 25, 2026 - 17:00 vuln.today
EUVD ID Assigned
Apr 25, 2026 - 16:30 euvd
EUVD-2026-25661
Analysis Generated
Apr 25, 2026 - 16:30 vuln.today
Patch released
Apr 25, 2026 - 16:30 nvd
Patch available
CVE Published
Apr 25, 2026 - 16:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.

AnalysisAI

Remote denial of service in Cesanta Mongoose up to version 7.20 allows unauthenticated attackers to trigger an infinite loop via manipulation of TCP option length parameters in the handle_opt function, causing service unavailability. Publicly available exploit code exists. Patch released in version 7.21.

Technical ContextAI

Cesanta Mongoose is an embedded web server and networking library commonly integrated into IoT devices and embedded systems. The vulnerability resides in the TCP option handler (/src/net_builtin.c), specifically the handle_opt function responsible for parsing TCP options during the three-way handshake. CWE-835 identifies an infinite loop as the root cause class, typically resulting from improper bounds checking or conditional logic in option length validation. The TCP option parsing mechanism processes optional fields appended to TCP headers; malformed or specially crafted optlen values bypass validation logic, causing the parser to enter an uncontrollable loop consuming CPU resources until the connection times out or the process is killed.

RemediationAI

Immediately upgrade Cesanta Mongoose to version 7.21 or later. For deployments unable to upgrade immediately, implement network-level mitigations: configure firewalls or load balancers to rate-limit or filter TCP connections with malformed options (if inspection tooling is available), or restrict TCP option processing to trusted sources using IP allowlists. Note that these mitigations do not eliminate the vulnerability and impose operational overhead; they are temporary measures only. The preferred and complete remediation is immediate upgrade to the patched release. Verify the upgrade by checking the library version reported by your Mongoose instance and testing with the public POC available at https://github.com/dwBruijn/CVEs/blob/main/Mongoose/TCP_opt_dos.md to confirm the infinite loop condition no longer occurs.

CVE-2025-23061 CRITICAL POC
9.0 Jan 15

Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with p

CVE-2017-2894 CRITICAL POC
9.8 Nov 07

An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6

CVE-2017-2891 CRITICAL POC
9.8 Nov 07

An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. Rated crit

CVE-2017-2922 CRITICAL POC
9.8 Nov 07

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.

CVE-2017-2921 CRITICAL POC
9.8 Nov 07

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.

CVE-2023-3696 CRITICAL POC
9.8 Jul 17

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. Rated critical severity (CVSS 9.8), this vu

CVE-2022-2564 CRITICAL POC
9.8 Jul 28

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. Rated critical severity (CVSS 9.8), this vu

CVE-2019-19307 CRITICAL POC
9.8 Nov 26

An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infin

CVE-2024-53900 CRITICAL POC
9.1 Dec 02

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Rated critical severity (CVSS 9.1

CVE-2021-26530 CRITICAL POC
9.1 Feb 08

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OO

CVE-2021-26529 CRITICAL POC
9.1 Feb 08

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable

CVE-2021-26528 CRITICAL POC
9.1 Feb 08

The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connect

Share

CVE-2026-6985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy