CVE-2026-5245 identifies a stack-based buffer overflow vulnerability in the Cesanta Mongoose embedded web server library, specifically in the handle_mdns_record function within the mongoose.c source file. This function is responsible for processing mDNS (Multicast DNS) records. The vulnerability occurs due to insufficient bounds checking when manipulating the buf argument, which can lead to overwriting the stack memory. This flaw allows a remote attacker to cause a buffer overflow without requiring authentication or user interaction, potentially leading to arbitrary code execution, denial of service, or information disclosure. However, the attack complexity is high, making exploitation challenging. The vulnerability affects all Cesanta Mongoose versions from 7.0 through 7.20. Cesanta responded quickly by releasing version 7.21, which includes a patch (commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1) that properly validates the buffer length to prevent overflow. The CVSS 4.0 score is 6.3 (medium), reflecting network attack vector, high attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. No known active exploits have been reported, but public exploit code exists, increasing the risk of future exploitation attempts.

The vulnerability poses a moderate risk to organizations using Cesanta Mongoose versions up to 7.20, particularly those deploying it in network-exposed environments such as IoT devices, embedded systems, or web servers. Successful exploitation could allow attackers to execute arbitrary code remotely, leading to potential system compromise, data leakage, or service disruption. Given the stack-based buffer overflow nature, attackers might achieve privilege escalation or persistent control over affected devices. The high complexity of exploitation reduces the likelihood of widespread attacks but does not eliminate targeted attacks against high-value assets. The availability of public exploit code increases the risk over time. Organizations relying on Mongoose in critical infrastructure or consumer devices could face operational and reputational damage if exploited. The medium severity indicates that while the threat is significant, it is not trivial to exploit, allowing time for remediation.

Organizations should prioritize upgrading Cesanta Mongoose to version 7.21 or later, which contains the official patch fixing the buffer overflow. For environments where immediate upgrade is not feasible, applying custom patches based on the vendor's commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1 can mitigate the issue. Network-level protections such as firewall rules or intrusion prevention systems should be configured to restrict or monitor mDNS traffic to and from devices running vulnerable Mongoose versions. Implementing strict input validation and buffer size checks in custom integrations can reduce risk. Regularly auditing and scanning embedded devices for outdated Mongoose versions is recommended. Additionally, monitoring for unusual network activity or crashes related to mDNS handling can provide early detection of exploitation attempts. Coordinating with device manufacturers and vendors to ensure timely updates is critical for large-scale deployments.