Vulnerability ID: 755450 Product: Cesanta Mongoose Embedded Web Server 7.20 Vulnerability Type: Improper Validation of Specified Index, Position, or Offset in I Description: - The built-in TCP/IP stack (MIP) in Mongoose accepts TCP RST packets without validating the source IP address or the sequence number, allowing an attacker to terminate arbitrary TCP sessions. - The function in matches incoming TCP segments to existing connections using only the port pair, ignoring the source IP address entirely. - Once a connection is matched, the function immediately terminates the connection upon seeing the RST flag without checking the sequence number, violating RFC 5961. - This allows any host on the network to terminate arbitrary TCP connections by sending a single forged RST packet. Source: https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md Submitter: dwbruijn (UID 93926) Submission Date: 02/10/2026 06:28 PM Moderation Date: 02/22/2026 08:57 AM Status: Accepted VulDB Entry: 2347334 Points: 20