CVE-2026-2967

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 3.7 LOW
CVSS v2.0 2.6 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:N/I:N/A:P

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md	Exploit Third Party Advisory
https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md#poc	Exploit Third Party Advisory
https://vuldb.com/?ctiid.347334	Permissions Required VDB Entry
https://vuldb.com/?id.347334	Third Party Advisory VDB Entry
https://vuldb.com/?submit.755450	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*

History

23 Feb 2026, 20:17

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cesanta:mongoose::::::::
References	~~() https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md -~~	() https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md - Exploit, Third Party Advisory
References	~~() https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md#poc -~~	() https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md#poc - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.347334 -~~	() https://vuldb.com/?ctiid.347334 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.347334 -~~	() https://vuldb.com/?id.347334 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.755450 -~~	() https://vuldb.com/?submit.755450 - Third Party Advisory, VDB Entry
First Time		Cesanta mongoose Cesanta

23 Feb 2026, 18:13

Type	Values Removed	Values Added
Summary		(es) Se ha detectado una vulnerabilidad de seguridad en Cesanta Mongoose hasta la versión 7.20. La cual afecta a la función getpeer del archivo /src/net_builtin.c del componente Gestor de Números de Secuencia TCP. Si se manipula se puede provocar una verificación incorrecta del origen de un canal de comunicación. El ataque puede ser iniciado de forma remota. Está calificado de complejidad alta y difícil de explotar. El exploit ha sido divulgado públicamente y puede ser utilizado. El proveedor fue contactado con antelación sobre esta divulgación, pero no respondió de ninguna manera.

23 Feb 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-23 04:16

Updated : 2026-02-23 20:17

NVD link : CVE-2026-2967

Mitre link : CVE-2026-2967

CVE.ORG link : CVE-2026-2967

JSON object : View

Products Affected

cesanta

mongoose

CWE

CWE-940

Improper Verification of Source of a Communication Channel

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

2.6 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2026-2967

3.7^/10

2.6^/10

Attach tags to `CVE-2026-2967`