highCVE-2026-11404

Cesanta Mongoose TLS ClientHello Out-of-Bounds Read Vulnerability

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.

ProductMongoose
CVSS8.7
EPSSNot scored yet
UpdatedJuly 9, 2026

Quick answer

Cesanta Mongoose should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Mongoose before 7.22

Fixed versions

  • 7.22

How to fix it

Cesanta Mongoose before 7.22 is affected by an out-of-bounds read in the built-in TLS server when parsing ClientHello session_id_len. Upgrade Mongoose to 7.22 or later and rebuild any embedded HTTPS, MQTTS, or WSS service that uses MG_TLS_BUILTIN. Prioritize internet-facing embedded devices and services exposed on TLS ports.

  1. Inventory applications, firmware, embedded devices, and services built with Cesanta Mongoose MG_TLS_BUILTIN.
  2. Upgrade Mongoose to 7.22 or later and rebuild affected binaries or firmware images.
  3. Deploy patched images to HTTPS, MQTTS, and WSS services using the built-in TLS stack.
  4. Restrict TLS service exposure or place affected services behind a hardened proxy until the update is deployed.
  5. Review crash logs and watchdog resets for crafted TLS ClientHello activity.
  6. Add fuzz or regression tests for malformed TLS ClientHello session ID lengths.
  7. Rotate service credentials only if crash telemetry or incident review indicates broader compromise.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the built binary or firmware uses Mongoose 7.22 or later.
  • Validate malformed TLS ClientHello messages no longer crash the service.
  • Review service logs and device telemetry for pre-patch crash patterns.
  • Test legitimate HTTPS, MQTTS, and WSS workflows after deployment.
  • Run a Fixnx scan and confirm public TLS services respond normally after remediation.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-11404?

Cesanta Mongoose versions listed as affected should be reviewed: Mongoose before 7.22.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.