Description
A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based buffer overflow
Action: Upgrade
AI Analysis

Impact

A heap-based buffer overflow was discovered in the mg_tls_recv_cert function of Cesanta Mongoose’s TLS 1.3 handler. Manipulating the pubkey argument during the TLS handshake can corrupt heap memory, potentially allowing an attacker to execute arbitrary code or crash the process. The vulnerability is identified as a buffer overflow weakness (CWE‑119, CWE‑122).

Affected Systems

The flaw affects all Cesanta Mongoose releases up to and including version 7.20. The vendor released a fixed build in version 7.21, which incorporates the patch commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. Upgrading to that or a later release eliminates the issue.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation is possible remotely by supplying a crafted TLS certificate during the handshake; this requires the target to accept connections from untrusted client peers. Due to the public disclosure and demonstrated exploitability, the issue poses a tangible risk to affected deployments.

Generated by OpenCVE AI on April 2, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cesanta Mongoose to version 7.21 or later.
  • Verify that the production build contains the patch commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1 or an equivalent change.
  • If an upgrade is temporarily infeasible, restrict TLS 1.3 connections to trusted peers or disable TLS 1.3 while monitoring for anomalous certificate exchanges.

Generated by OpenCVE AI on April 2, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title Cesanta Mongoose TLS 1.3 mongoose.c mg_tls_recv_cert heap-based overflow
First Time appeared Cesanta
Cesanta mongoose
Weaknesses CWE-119
CWE-122
CPEs cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*
Vendors & Products Cesanta
Cesanta mongoose
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cesanta Mongoose
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T13:31:54.915Z

Reserved: 2026-03-31T14:45:47.381Z

Link: CVE-2026-5244

cve-icon Vulnrichment

Updated: 2026-04-02T13:23:07.388Z

cve-icon NVD

Status : Received

Published: 2026-04-02T08:16:28.683

Modified: 2026-04-02T08:16:28.683

Link: CVE-2026-5244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:12Z

Weaknesses