| Titel | Cesanta Mongoose 7.20 Denial of Service |
|---|
| Beschreibung | The handle_opt() function in /src/net_builtin.c enters an infinite loop when parsing a TCP option with a zero-length field, permanently freezing the entire Mongoose event loop with a single unauthenticated packet. The function iterates over TCP options and uses the attacker-controlled optlen field to advance through the option bytes, but never validates that optlen is non-zero. When optlen is 0, the loop executes opts += 0; len -= 0; on every iteration, and so the pointer never advances, the remaining length never decreases, and the loop condition len > 0 remains true forever.
This vulnerability is triggered in the initial frame receive path of mg_mgr_poll(), before any TCP connection is created, before any protocol parsing (HTTP, MQTT, WebSocket, TLS), and before any authentication. A single TCP SYN packet with a malformed option field is sufficient. Because Mongoose uses a single-threaded event loop by default, the infinite loop freezes the entire device permanently. No existing connections can make progress, no new connections can be accepted, no timers fire, and no recovery is possible without a power cycle or watchdog reset.
Vendor was made aware of the vulnerability and a patch has been released in v7.21. |
|---|
| Quelle | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Mongoose/TCP_opt_dos.md |
|---|
| Benutzer | dwbruijn (UID 93926) |
|---|
| Einreichung | 03.04.2026 07:23 (vor 23 Tagen) |
|---|
| Moderieren | 24.04.2026 21:12 (22 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 359528 [Cesanta Mongoose bis 7.20 TCP Option /src/net_builtin.c handle_opt optlen Denial of Service] |
|---|
| Punkte | 20 |
|---|