Login Sign Up

CVE-2021-26530

9.1 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-26530 is a critical out-of-bounds write vulnerability in Cesanta Mongoose HTTPS server when compiled with OpenSSL support. Attackers can remotely execute arbitrary code or crash the server by sending connection requests after exhausting the memory pool. This affects any system running vulnerable versions of Mongoose server with TLS/HTTPS enabled.

💻 Affected Systems

Products:
  • Cesanta Mongoose HTTPS Server
Versions: Version 7.0 (specifically when compiled with OpenSSL support)
Operating Systems: All platforms where Mongoose is deployed
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when compiled with OpenSSL support and TLS/HTTPS functionality is enabled.

📦 What is this software?

Mongoose by Cesanta

View all CVEs affecting Mongoose →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Server crash causing denial of service and potential data corruption.

🟢

If Mitigated

Limited to denial of service if memory protections or exploit mitigations are in place.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible against internet-facing servers.
🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in GitHub issues. Exploitation requires sending connection requests after memory pool exhaustion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 7.1 and later

Vendor Advisory: https://github.com/cesanta/mongoose/issues/1204

Restart Required: Yes

Instructions:

1. Update Mongoose to version 7.1 or later. 2. Recompile the application with the updated library. 3. Restart the server/service.

🔧 Temporary Workarounds

Disable TLS/HTTPS

all

Disable TLS/HTTPS functionality if not required

Recompile Mongoose without OpenSSL support or disable HTTPS in configuration

Network Segmentation

linux

Restrict access to Mongoose server

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit connections to trusted sources only
  • Deploy web application firewall (WAF) rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Mongoose version is 7.0 and compiled with OpenSSL support. Review build configuration and server logs for TLS initialization.

Check Version:

Check application documentation or run the server with --version flag if available

Verify Fix Applied:

Verify Mongoose version is 7.1 or later and check that the mg_tls_init function has been patched.

📡 Detection & Monitoring

Log Indicators:

  • Multiple connection attempts followed by server crash
  • Memory allocation errors in logs
  • TLS handshake failures

Network Indicators:

  • Multiple rapid connection requests to HTTPS port
  • Unusual traffic patterns causing memory exhaustion

SIEM Query:

source="mongoose.log" AND ("crash" OR "memory" OR "tls_init")

📊 Metadata

CVE ID: CVE-2021-26530
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-787
Published: February 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26530, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)