Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification
Summary
| CVE | CVE-2026-6986 |
|---|---|
| State | PUBLISHED |
| Assigner | VulDB |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-25 17:16:33 UTC |
| Updated | 2026-04-29 19:00:39 UTC |
| Description | A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already. |
Risk And Classification
Primary CVSS: v4.0 2.9 LOW from [email protected]
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000100000 probability, percentile 0.011910000 (date 2026-05-05)
Problem Types: CWE-345 | CWE-347 | CWE-347 Improper Verification of Cryptographic Signature | CWE-345 Insufficient Verification of Data Authenticity
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 2.9 | LOW | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/C... |
| 4.0 | CNA | DECLARED | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
| 3.1 | [email protected] | Primary | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
| 3.0 | CNA | DECLARED | 3.7 | LOW | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
| 2.0 | [email protected] | Secondary | 2.6 | AV:N/AC:H/Au:N/C:N/I:P/A:N | |
| 2.0 | CNA | DECLARED | 2.6 | AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
NoneIntegrity
LowAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Cesanta | Mongoose | affected 7.0 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.1 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.2 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.3 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.4 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.5 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.6 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.7 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.8 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.9 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.10 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.11 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.12 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.13 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.14 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.15 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.16 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.17 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.18 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.19 | Not specified |
| CNA | Cesanta | Mongoose | affected 7.20 | Not specified |
| CNA | Cesanta | Mongoose | unaffected 7.21 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| vuldb.com/vuln/359529 | [email protected] | vuldb.com | Third Party Advisory, VDB Entry |
| github.com/cesanta/mongoose/releases/tag/7.21 | [email protected] | github.com | Release Notes |
| vuldb.com/submit/796231 | [email protected] | vuldb.com | Third Party Advisory, VDB Entry |
| vuldb.com/vuln/359529/cti | [email protected] | vuldb.com | Permissions Required, VDB Entry |
| github.com/dwBruijn/CVEs/blob/main/Mongoose/AESGCM.md | [email protected] | github.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: dwbruijn (VulDB User) (en)
CNA: VulDB CNA Team (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-24T00:00:00.000Z | Advisory disclosed |
| CNA | 2026-04-24T02:00:00.000Z | VulDB entry created |
| CNA | 2026-04-24T21:18:01.000Z | VulDB entry last update |
There are currently no legacy QID mappings associated with this CVE.