Bug 2454274 (CVE-2026-5246) - CVE-2026-5246 mongoose: certificate verification bypass in mTLS
Summary: CVE-2026-5246 mongoose: certificate verification bypass in mTLS
Keywords:
Status: NEW
Alias: CVE-2026-5246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2454337 2454338 2454339 2454340
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-02 10:01 UTC by OSIDB Bzimport
Modified: 2026-04-02 13:25 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-02 10:01:45 UTC
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.


Note You need to log in before you can comment on or make changes to this bug.