| tiêu đề | Cesanta Mongoose 7.20 Denial of Service |
|---|
| Mô tả | The handle_opt() function in /src/net_builtin.c enters an infinite loop when parsing a TCP option with a zero-length field, permanently freezing the entire Mongoose event loop with a single unauthenticated packet. The function iterates over TCP options and uses the attacker-controlled optlen field to advance through the option bytes, but never validates that optlen is non-zero. When optlen is 0, the loop executes opts += 0; len -= 0; on every iteration, and so the pointer never advances, the remaining length never decreases, and the loop condition len > 0 remains true forever.
This vulnerability is triggered in the initial frame receive path of mg_mgr_poll(), before any TCP connection is created, before any protocol parsing (HTTP, MQTT, WebSocket, TLS), and before any authentication. A single TCP SYN packet with a malformed option field is sufficient. Because Mongoose uses a single-threaded event loop by default, the infinite loop freezes the entire device permanently. No existing connections can make progress, no new connections can be accepted, no timers fire, and no recovery is possible without a power cycle or watchdog reset.
Vendor was made aware of the vulnerability and a patch has been released in v7.21. |
|---|
| Nguồn | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Mongoose/TCP_opt_dos.md |
|---|
| Người dùng | dwbruijn (UID 93926) |
|---|
| Đệ trình | 03/04/2026 07:23 (cách đây 24 ngày) |
|---|
| Kiểm duyệt | 24/04/2026 21:12 (22 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 359528 [Cesanta Mongoose đến 7.20 TCP Option /src/net_builtin.c handle_opt optlen Từ chối dịch vụ] |
|---|
| điểm | 20 |
|---|