Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-6986

3.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Exploit Code Maturity (E): Proof-of-Concept (P)
Remediation Level (RL): Official Fix (O)
Report Confidence (RC): Confirmed (C)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 4 weeks ago by @LeSuisse Activity log

Created suggestion 4 weeks, 1 day ago
@LeSuisse dismissed (not in Nixpkgs) 4 weeks ago

Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.

References

VDB-359529 | Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification vdb-entrytechnical-description
VDB-359529 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #796231 | Cesanta Mongoose 7.20 Improper Verification of Cryptographic Signature third-party-advisory
https://github.com/dwBruijn/CVEs/blob/main/Mongoose/AESGCM.md exploit
https://github.com/cesanta/mongoose/releases/tag/7.21 patch

Affected products

Mongoose

==7.10
==7.17
==7.15
==7.9
==7.1
==7.4
==7.20
==7.8
==7.14
==7.11
==7.16
==7.19
==7.0
==7.12
==7.18
==7.13
==7.3
==7.21
==7.5
==7.2
==7.7
==7.6

Matching in nixpkgs

pkgs.mongoose

Graph Coarsening and Partitioning Library

nixos-unstable 3.3.6
- nixpkgs-unstable 3.3.6
- nixos-unstable-small 3.3.6
nixos-25.11 3.3.6
- nixos-25.11-small 3.3.6
- nixpkgs-25.11-darwin 3.3.6

Package maintainers

@wegank Weijia Wang <contact@weijia.wang>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.mongoose

Package maintainers