CVE-2026-2967 MEDIUM

CVE-2026-2967: Cesanta Mongoose TCP Sequence Number net_builtin.c getpeer verification of source

Vendor Cesanta
Product Mongoose
Weakness CWE-940
Published February 23, 2026
Last update February 23, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

February 23, 2026 CVE published
February 23, 2026 Record updated