CVE-2026-6986

Exploit

EPSS 0.22%
Veröffentlicht 25.04.2026 16:30:13
Zuletzt bearbeitet 29.04.2026 19:00:39
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cesanta ≫ Mongoose Version >= 7.0 < 7.21

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.119

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
cna@vuldb.com	2.9	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	2.6	4.9	2.9	AV:N/AC:H/Au:N/C:N/I:P/A:N

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/cesanta/mongoose/releases/tag/7.21

Release Notes

https://vuldb.com/vuln/359529

Third Party Advisory

VDB Entry

https://vuldb.com/vuln/359529/cti

VDB Entry

Permissions Required

https://vuldb.com/submit/796231

Third Party Advisory

VDB Entry

https://github.com/dwBruijn/CVEs/blob/main/Mongoose/AESGCM.md

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-6986

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-6986

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-6986

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-6986