Skip to main content

Mongoose EUVDEUVD-2026-18170

| CVE-2026-5244 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-04-02 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 02, 2026 - 08:15 euvd
EUVD-2026-18170
Analysis Generated
Apr 02, 2026 - 08:15 vuln.today
Patch released
Apr 02, 2026 - 08:15 nvd
Patch available
CVE Published
Apr 02, 2026 - 08:00 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Heap-based buffer overflow in Cesanta Mongoose versions up to 7.20 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability through malicious TLS 1.3 handshake manipulation. The vulnerability resides in mg_tls_recv_cert() function's improper handling of the pubkey argument during certificate processing. Publicly available exploit code exists (CVSS temporal E:P), and vendor-released patch is available in version 7.21. CVSS base score 7.3 reflects network-accessible, low-complexity attack requiring no privileges or user interaction.

Technical ContextAI

Cesanta Mongoose is a lightweight embedded web server and networking library commonly used in IoT devices, embedded systems, and network appliances. The vulnerability (CWE-122: Heap-based Buffer Overflow) occurs in the TLS 1.3 protocol handler within mongoose.c, specifically in the mg_tls_recv_cert() function responsible for processing certificate data during the TLS handshake. When parsing the pubkey argument from incoming certificate messages, insufficient bounds checking allows an attacker to write beyond allocated heap memory. This classic memory corruption flaw can occur when the library processes malformed or oversized public key data structures in X.509 certificates presented during TLS 1.3 session establishment. The affected component (cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*) impacts all Mongoose versions through 7.20.

RemediationAI

Upgrade immediately to Cesanta Mongoose version 7.21 or later, which contains the complete fix via commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1 addressing the heap overflow in mg_tls_recv_cert() function. Download the patched release from https://github.com/cesanta/mongoose/releases/tag/7.21 or apply the specific commit patch from https://github.com/cesanta/mongoose/commit/0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1 if building from source. If immediate upgrade is not feasible, consider temporary risk mitigation by disabling TLS 1.3 support if operationally acceptable, restricting network access to Mongoose-based services to trusted clients only, or deploying network-layer filtering to inspect TLS handshakes for anomalous certificate structures. Verify patched version deployment and conduct regression testing to ensure TLS functionality remains intact post-upgrade. The vendor responded professionally with rapid patch turnaround, making upgrade the strongly preferred remediation path over workarounds.

CVE-2025-23061 CRITICAL POC
9.0 Jan 15

Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with p

CVE-2017-2894 CRITICAL POC
9.8 Nov 07

An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6

CVE-2017-2891 CRITICAL POC
9.8 Nov 07

An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. Rated crit

CVE-2017-2922 CRITICAL POC
9.8 Nov 07

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.

CVE-2017-2921 CRITICAL POC
9.8 Nov 07

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.

CVE-2023-3696 CRITICAL POC
9.8 Jul 17

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. Rated critical severity (CVSS 9.8), this vu

CVE-2022-2564 CRITICAL POC
9.8 Jul 28

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. Rated critical severity (CVSS 9.8), this vu

CVE-2019-19307 CRITICAL POC
9.8 Nov 26

An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infin

CVE-2024-53900 CRITICAL POC
9.1 Dec 02

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Rated critical severity (CVSS 9.1

CVE-2021-26530 CRITICAL POC
9.1 Feb 08

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OO

CVE-2021-26529 CRITICAL POC
9.1 Feb 08

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable

CVE-2021-26528 CRITICAL POC
9.1 Feb 08

The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connect

Share

EUVD-2026-18170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy