CVE-2026-2967

Name of the Vulnerable Software and Affected Versions Cesanta Mongoose versions prior to 7.21

Description A security issue exists in Cesanta Mongoose. The getpeer function within the TCP Sequence Number Handler component, located in /src/net builtin.c, does not properly verify the source of a communication channel. This allows for remote attacks with high complexity and difficult exploitability. The exploit has been publicly disclosed.

Recommendations Update to version 7.21 or later. As a temporary workaround, consider restricting access to the getpeer function until a patch is available.