CVE-2026-11404 Cesanta Mongoose < 7.22 Out-of-Bounds Read in MG_TLS_BUILTIN ClientHello Session ID Parsing
Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mgtlsserverrecvhello, which uses an attacker-controlled sessionidlen byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated...