Description
A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Predictable DNS transaction IDs enabling spoofing
Action: Patch Now
AI Analysis

Impact

A weakness was identified in Cesanta Mongoose versions up to 7.20 in the mg_sendnsreq function used for DNS transaction ID handling. Manipulation of the random argument can produce insufficiently random values. The vulnerability can be exploited remotely, although the required complexity and difficulty of the exploitation are high. Public evidence of the exploit has been released. As a result, an attacker could potentially predict DNS transaction IDs and cause forged DNS responses to be accepted by the resolver.

Affected Systems

Cesanta Mongoose up to and including version 7.20.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score of less than 1% suggests low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote and would require an attacker to predict DNS transaction IDs by manipulating the random value, a task that is complex and difficult. Publicly available exploit code demonstrates the feasibility of such an attack, but real‑world exploitation would still need to overcome the high complexity barrier.

Generated by OpenCVE AI on April 17, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cesanta Mongoose to a revision that implements a cryptographically secure random number generator for DNS transaction IDs.
  • Apply network restrictions to limit exposure of the vulnerable DNS resolver to untrusted traffic sources.
  • Enable DNSSEC validation on clients to detect and reject forged DNS responses.

Generated by OpenCVE AI on April 17, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 02:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Cesanta Mongoose DNS Transaction ID dns.c mg_sendnsreq random values
First Time appeared Cesanta
Cesanta mongoose
Weaknesses CWE-310
CWE-330
CPEs cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*
Vendors & Products Cesanta
Cesanta mongoose
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cesanta Mongoose
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:36:51.905Z

Reserved: 2026-02-22T07:57:24.272Z

Link: CVE-2026-2966

cve-icon Vulnrichment

Updated: 2026-02-23T13:36:44.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T03:15:59.373

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses