HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-11404 — Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS ...

·Source: NIST NVD

Updated:

Executive Summary

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past

Analysis

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN. CVSS Score: 7.5. Published: 2026-07-09T16:16:34.640.

Indicators of Compromise (1)

CVE (1)
CVE-2026-11404
Source Attribution

Originally published by NIST NVD on Jul 9, 2026. Verified by: NIST.

Related Threats