CVE-2026-2968

CVSS v3.1

3.7

Low

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Cesanta Mongoose versions prior to 7.21

Description A security issue exists in Cesanta Mongoose related to improper verification of cryptographic signatures. The issue resides in the mg chacha20 poly1305 decrypt function within the /src/tls chacha20.c file, specifically within the Poly1305 Authentication Tag Handler component. The attack can be initiated remotely and is considered to have high complexity, with difficult exploitability. The exploit is publicly available.

Recommendations Update to version 7.21 or later. As a temporary workaround, consider restricting the use of the mg chacha20 poly1305 decrypt function until a patch is available.

Exploit

Fix

Improper Verification of Cryptographic Signature

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347CWE-345

Related Identifiers

CVE-2026-2968

Affected Products

Cesanta Mongoose

CVE-2026-2968

Weakness Enumeration

Related Identifiers

Affected Products

References · 12