CVE-2026-21899
Out-of-Bounds Read in CryptoLib base64urlDecode Causes Crash
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | to 1.4.3 (exc) |
| nasa | cryptolib | 1.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21899 is a moderate severity vulnerability in CryptoLib versions up to 1.4.2. It occurs in the base64urlDecode function, where the code attempts to strip padding characters by accessing input[inputLen - 1] without first checking if inputLen is greater than zero or if input is not NULL. If inputLen is zero, this causes an out-of-bounds read at input[-1], potentially crashing the process. If input is NULL and inputLen is zero, it dereferences NULL - 1, leading to undefined behavior. This vulnerability can be triggered when decoding empty Base64url strings, such as empty JSON fields. The issue has been fixed in version 1.4.3 by adding proper parameter validation and handling empty input explicitly to prevent out-of-bounds access. [1]
How can this vulnerability impact me? :
This vulnerability can cause a process crash due to an out-of-bounds read when decoding empty Base64url strings. Although it requires high privileges to exploit and does not need user interaction, it can lead to denial of service by crashing the application. The impact on confidentiality, integrity, and availability is low, but the crash could disrupt normal operations of systems using CryptoLib. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running CryptoLib versions up to 1.4.2 and by monitoring for crashes or abnormal behavior related to base64url decoding of empty strings. Since the issue occurs in the base64urlDecode function when decoding empty Base64url strings, you can test this by running a program or script that calls this function with empty input and observing if it crashes. Specific commands depend on your environment, but generally, you can check the CryptoLib version installed and test the decoding function with empty input. For example, if you have access to the CryptoLib source or binaries, you might run a test program that calls base64urlDecode with an empty string and see if it crashes. There are no explicit detection commands provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade CryptoLib to version 1.4.3 or later, where the issue has been patched. The patch includes proper validation of input parameters and handling of empty input to prevent out-of-bounds reads. If upgrading immediately is not possible, avoid passing empty or NULL inputs to the base64urlDecode function to prevent triggering the vulnerability. [1, 2]