Description
A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
Published: 2026-04-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via infinite loop
Action: Patch
AI Analysis

Impact

The vulnerability resides in the handle_opt function of the TCP Option Handler within Cesanta Mongoose and is triggered by manipulating the optlen argument. This causes an infinite loop, effectively exhausting CPU or system resources and leading to a denial of service. The flaw is classified under CWE-404 and CWE-835, reflecting improper resource handling and the presence of an infinite loop. The impact is that an attacker can remotely trigger the loop and render the affected component or system unresponsive, potentially affecting availability for users relying on the service.

Affected Systems

Products affected are Cesanta Mongoose, version 7.20 and earlier. The problem was identified in releases up to 7.20. Upgrading to version 7.21 patches the flaw and is the recommended action. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score of below 1% reflects a very low probability of exploitation at any given time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote; the defect is exposed through network traffic processed by the TCP Option Handler, meaning an attacker does not need local privileges. Although the exploitation code is publicly available, the low EPSS suggests few real‐world incidents to date, but the remote nature and denial-of-service impact still warrant remediation.

Generated by OpenCVE AI on April 28, 2026 at 05:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cesanta Mongoose component to version 7.21 or later to remove the infinite loop bug.
  • After the upgrade, restart the service or process that uses the TCP Option Handler to ensure the new code is loaded.
  • If an upgrade cannot be performed immediately, consider limiting or blocking TCP option traffic from untrusted sources using firewall or network segmentation until the fix is applied.

Generated by OpenCVE AI on April 28, 2026 at 05:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
Title Cesanta Mongoose TCP Option net_builtin.c handle_opt infinite loop
First Time appeared Cesanta
Cesanta mongoose
Weaknesses CWE-404
CWE-835
CPEs cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*
Vendors & Products Cesanta
Cesanta mongoose
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cesanta Mongoose
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:35:36.821Z

Reserved: 2026-04-24T19:12:47.755Z

Link: CVE-2026-6985

cve-icon Vulnrichment

Updated: 2026-04-27T12:35:33.405Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T17:16:33.520

Modified: 2026-04-29T19:05:12.250

Link: CVE-2026-6985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:45:23Z

Weaknesses