So, Mongoose . If you’ve never heard of it, you’ve almost certainly used a device that runs it. It’s a single-file, cross-platform embedded network library written in C by Cesanta that provides HTTP/HTTPS, WebSocket, MQTT, mDNS and more, designed specifically for embedded systems and IoT devices where something like OpenSSL would be way too heavy. Their own website claims deployment on hundreds of millions of devices by companies like Siemens, Schneider Electric, Broadcom, Bosch, Google, Samsung, Qualcomm and Caterpillar. They even claim it runs on the International Space Station . We’re talking everything from smart home gateways and IP cameras to industrial PLCs, SCADA systems and, apparently, space. One of Mongoose’s key selling points is its built-in TLS 1.3 implementation ( MG_TLS_BUILTIN ). Instead of linking against OpenSSL or mbedTLS, you get TLS right out of the box, including mutual TLS (mTLS) for client certificate authentication. This is particularly appealing for embedded devices where every kilobyte of firmware matters and cross-compiling OpenSSL for some obscure MIPS or ARM SoC is a pain. Sounds great, right? During one of the usual weekend fun projects, I found three vulnerabilities in Mongoose v7.20, each independently exploitable: complete bypass of mTLS authentication , preauth RCE as root via a heap overflow in the client public key parsing logic, and preauth RCE via a single UDP packet through mDNS. No authentication required for any of them. Not that authentication can’t be bypassed anyway :D # Disclosure Timeline 2026-02-17 - Vulnerabilities reported, as per project README, via email to [email protected] with full technical details, weaponized exploits and proposed fixes. 2026-02-26 - Created GitHub issue #3453 to get any sort of ACK. 2026-02-26 - Maintainer response: “Please do not discuss security stuff here. You will receive a response in due time.” Issue closed as “not planned.” 2026-02-26 - Cesanta finally realizes they wrote the wrong email address in the project README, and the conversation actually starts … 2026-03-02 - VulDB is involved for coordination and CVE assignment. 2026-03-31 - CVE-2026-5244, CVE-2026-5245 and CVE-2026-5246 assigned. 2026-04-01 - Mongoose v7.21 is released, including the patches. 2026-04-02 - Public disclosure from yours truly # Summary CVE-2026-5246 | mg_tls_verify_cert_signature() returns success without checking the signature when the CA uses a P-384 key. Any client certificate from any CA is accepted. Complete mTLS bypass. (CVSS 5.6 Medium, CWE-295 Improper Certificate Validation) CVE-2026-5244 | mg_tls_recv_cert() copies an attacker-controlled RSA public key into a fixed 528-byte heap buffer with no bounds check. Heap overflow overwrites mg_connection->fn function pointer → shellcode execution as root. (CVSS 7.3 High, CWE-122 Heap-based Buffer Overflow) CVE-2026-5245 | handle_mdns_record() packs four DNS records into a 282-byte stack buffer without bounds checking. A single UDP packet overflows the stack by 386 bytes, corrupting saved registers and the return address. On MIPS with executable stack, this is exploitable for preauth RCE. (CVSS 5.6 Medium, CWE-121 Stack-based Buffer Overflow) All three affect Mongoose versions 7.0 through 7.20. Fixed in version 7.21. # Impact A remote unauthenticated attacker can: Bypass mTLS authentication entirely on any Mongoose server using a P-384 CA certificate, gaining unauthorized access to management interfaces on critical infrastructure. Achieve remote code execution as root during the TLS handshake, before any HTTP request is processed, via a heap buffer overflow triggered by a crafted client certificate. Achieve remote code execution via mDNS with a single 34-byte UDP packet on IoT gateways, industrial controllers, and embedded systems (when the mDNS TXT buffer is configured larger than default). # Affected Systems Mongoose is deployed on hundreds of millions of devices by companies including Siemens, Schneider Electric, Broadcom, Bosch, Google, Samsung, Qualcomm, and Caterpillar. Any device using MG_TLS_BUILTIN or mDNS is potentially affected: Industrial PLCs and SCADA gateways Smart home hubs and IP cameras Building automation controllers Medical devices Automotive infotainment systems Any embedded device running Mongoose 7.0-7.20 # Remediation Update to Mongoose 7.21 which contains fixes for all three vulnerabilities. If you can’t update, switch from MG_TLS_BUILTIN to OpenSSL or mbedTLS for your TLS implementation. If you’re using mDNS, disable it if you don’t need it. Do not use P-384 CA certificates with Mongoose’s built-in TLS on any version prior to 7.21. If running on embedded devices with no hardening (no ASLR, no PIE, executable heap - which is most of them), treat this as critical priority . # Bug 1: “ignore secp386 for now” - mTLS Authentication Bypass (CVE-2026-5246) Let’s start with the fun one, the one that made me literally say “no way” out loud. Mutual TLS (mTLS) is the gold standard for ...