FKIE_CVE-2026-22697

Vulnerability from fkie_nvd - Published: 2026-01-10 01:16 - Updated: 2026-01-16 16:42
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib’s KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3.
References
security-advisories@github.comhttps://github.com/nasa/CryptoLib/releases/tag/v1.4.3Release Notes
security-advisories@github.comhttps://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4Vendor Advisory, Exploit
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4Vendor Advisory, Exploit
Impacted products
Vendor Product Version
nasa cryptolib *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582",
              "versionEndExcluding": "1.4.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib\u2019s KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3."
    },
    {
      "lang": "es",
      "value": "CryptoLib proporciona una soluci\u00f3n \u00fanicamente de software utilizando el Protocolo de Seguridad de Enlace de Datos Espaciales CCSDS - Procedimientos Extendidos (SDLS-EP) para asegurar las comunicaciones entre una nave espacial que ejecuta el Sistema de Vuelo central (cFS) y una estaci\u00f3n terrestre. Antes de la versi\u00f3n 1.4.3, la integraci\u00f3n del servicio criptogr\u00e1fico KMC de CryptoLib es vulnerable a un desbordamiento de b\u00fafer de pila al decodificar campos de texto cifrado/texto claro codificados en Base64 devueltos por el servicio KMC. El b\u00fafer de destino de decodificaci\u00f3n se dimensiona utilizando una longitud de salida esperada (len_data_out), pero el decodificador Base64 escribe la salida bas\u00e1ndose en la longitud real de la entrada Base64 y no impone ning\u00fan l\u00edmite de tama\u00f1o de destino. Una cadena Base64 sobredimensionada en la respuesta JSON del KMC puede causar escrituras fuera de l\u00edmites en la pila, lo que resulta en un fallo del proceso y potencialmente la ejecuci\u00f3n de c\u00f3digo bajo ciertas condiciones. Este problema ha sido parcheado en la versi\u00f3n 1.4.3."
    }
  ],
  "id": "CVE-2026-22697",
  "lastModified": "2026-01-16T16:42:26.080",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-10T01:16:19.160",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Exploit"
      ],
      "url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Vendor Advisory",
        "Exploit"
      ],
      "url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-122"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.