Cesanta Mongoose mDNS Record mongoose.c handle_mdns_record stack-based overflow
Summary
| CVE | CVE-2026-5245 |
|---|---|
| State | PUBLISHED |
| Assigner | VulDB |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-02 10:16:17 UTC |
| Updated | 2026-04-03 16:10:52 UTC |
| Description | A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been made public and could be used. Upgrading to version 7.21 will fix this issue. The patch is named 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. |
Risk And Classification
Primary CVSS: v4.0 6.3 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000580000 probability, percentile 0.182250000 (date 2026-04-02)
Problem Types: CWE-119 | CWE-121 | CWE-121 Stack-based Buffer Overflow | CWE-119 Memory Corruption
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/C... |
| 4.0 | CNA | DECLARED | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
| 3.1 | [email protected] | Primary | 5.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | CNA | DECLARED | 5.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
| 3.0 | CNA | DECLARED | 5.6 | MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
| 2.0 | [email protected] | Secondary | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P | |
| 2.0 | CNA | DECLARED | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
LowIntegrity
LowAvailability
LowSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
LowCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
LowCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Cesanta | Mongoose | affected 7.0 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.1 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.2 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.3 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.4 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.5 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.6 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.7 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.8 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.9 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.10 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.11 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.12 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.13 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.14 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.15 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.16 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.17 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.18 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.19 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.20 | Not specified |
| CNA | Cesanta | Mongoose | unaffected 7.21 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/cesanta/mongoose/releases/tag/7.21 | [email protected] | github.com | |
| vuldb.com/submit/770103 | [email protected] | vuldb.com | |
| vuldb.com/vuln/354826 | [email protected] | vuldb.com | |
| github.com/cesanta/mongoose | [email protected] | github.com | |
| vuldb.com/vuln/354826/cti | [email protected] | vuldb.com | |
| github.com/cesanta/mongoose/commit/0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: the_evilsocket (VulDB User) (en)
CNA: VulDB CNA Team (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-02T00:00:00.000Z | Advisory disclosed |
| CNA | 2026-04-02T02:00:00.000Z | VulDB entry created |
| CNA | 2026-04-02T09:48:24.000Z | VulDB entry last update |
There are currently no legacy QID mappings associated with this CVE.