CVE-2026-21898
Memory Bounds Check Vulnerability in CryptoLib AOS Frame Parsing
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | to 1.4.3 (exc) |
| nasa | cryptolib | 1.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds read in the Crypto_AOS_ProcessSecurity function of the CryptoLib package. The function reads memory beyond the allocated buffer when parsing AOS frame hashes, specifically reading bytes past the end of a 6-byte buffer, which can cause a heap-buffer-overflow. This occurs because the function attempts to access the 7th and 8th bytes when only 6 bytes are allocated, leading to invalid memory access. [2]
How can this vulnerability impact me? :
The vulnerability can be exploited remotely without any privileges or user interaction, potentially causing a denial of service by crashing the process due to heap-buffer-overflow. It has a high impact on availability, meaning it can disrupt the service. The confidentiality impact is low, and there is no impact on integrity. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for heap-buffer-overflow errors related to the Crypto_AOS_ProcessSecurity function, especially when processing AOS frame hashes with minimum frame lengths (6 bytes). Using AddressSanitizer (ASAN) or similar memory error detection tools during testing can reveal out-of-bounds reads. Specifically, running tests that allocate 6-byte buffers and observing if reads occur beyond the buffer (indices 6 and 7) can confirm the issue. There are no specific network commands provided, but enabling memory error detection tools during runtime or testing is recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade CryptoLib to version 1.4.3 or later, where the out-of-bounds read issue in the Crypto_AOS_ProcessSecurity function has been fixed. Applying this patch will prevent the memory read beyond valid bounds and eliminate the associated heap-buffer-overflow risk. [1, 2]