Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mgtlsserverrecvhello(), which uses an attacker-controlled sessionidlen byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MGTLSBUILTIN.
{
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-125"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11404.json"
}