CVE-2026-2966

Name of the Vulnerable Software and Affected Versions Cesanta Mongoose versions up to 7.20

Description A weakness exists in Cesanta Mongoose related to insufficiently random values generated by the mg sendnsreq function within the DNS Transaction ID Handler component, located in the file /src/dns.c. Manipulation of the random argument can trigger this issue. The attack can be launched remotely and is considered difficult to exploit, but the exploit has been publicly released. The vendor was contacted regarding this disclosure but did not respond.

Recommendations Versions prior to 7.20 should be updated. As a temporary workaround, consider restricting access to the DNS Transaction ID Handler component to minimize the risk of exploitation.