Cesanta Mongoose TLS ClientHello Out-of-Bounds Read Vulnerability
Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.
Quick answer
Cesanta Mongoose should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Mongoose before 7.22
Fixed versions
- 7.22
How to fix it
Cesanta Mongoose before 7.22 is affected by an out-of-bounds read in the built-in TLS server when parsing ClientHello session_id_len. Upgrade Mongoose to 7.22 or later and rebuild any embedded HTTPS, MQTTS, or WSS service that uses MG_TLS_BUILTIN. Prioritize internet-facing embedded devices and services exposed on TLS ports.
- Inventory applications, firmware, embedded devices, and services built with Cesanta Mongoose MG_TLS_BUILTIN.
- Upgrade Mongoose to 7.22 or later and rebuild affected binaries or firmware images.
- Deploy patched images to HTTPS, MQTTS, and WSS services using the built-in TLS stack.
- Restrict TLS service exposure or place affected services behind a hardened proxy until the update is deployed.
- Review crash logs and watchdog resets for crafted TLS ClientHello activity.
- Add fuzz or regression tests for malformed TLS ClientHello session ID lengths.
- Rotate service credentials only if crash telemetry or incident review indicates broader compromise.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the built binary or firmware uses Mongoose 7.22 or later.
- Validate malformed TLS ClientHello messages no longer crash the service.
- Review service logs and device telemetry for pre-patch crash patterns.
- Test legitimate HTTPS, MQTTS, and WSS workflows after deployment.
- Run a Fixnx scan and confirm public TLS services respond normally after remediation.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-11404?
Cesanta Mongoose versions listed as affected should be reviewed: Mongoose before 7.22.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
