No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 09 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Cesanta
Cesanta mongoose |
|
| Vendors & Products |
Cesanta
Cesanta mongoose |
Thu, 09 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 09 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN. | |
| Title | Cesanta Mongoose < 7.22 Out-of-Bounds Read in MG_TLS_BUILTIN ClientHello Session ID Parsing | |
| Weaknesses | CWE-125 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-09T16:09:53.129Z
Reserved: 2026-06-05T17:46:47.767Z
Link: CVE-2026-11404
Updated: 2026-07-09T16:09:49.927Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T16:30:05Z
-
CWE-125
Out-of-bounds Read