CVE-2026-21899
Unknown Unknown - Not Provided
Out-of-Bounds Read in CryptoLib base64urlDecode Causes Crash

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21899
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nasa cryptolib to 1.4.3 (exc)
nasa cryptolib 1.4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21899 is a moderate severity vulnerability in CryptoLib versions up to 1.4.2. It occurs in the base64urlDecode function, where the code attempts to strip padding characters by accessing input[inputLen - 1] without first checking if inputLen is greater than zero or if input is not NULL. If inputLen is zero, this causes an out-of-bounds read at input[-1], potentially crashing the process. If input is NULL and inputLen is zero, it dereferences NULL - 1, leading to undefined behavior. This vulnerability can be triggered when decoding empty Base64url strings, such as empty JSON fields. The issue has been fixed in version 1.4.3 by adding proper parameter validation and handling empty input explicitly to prevent out-of-bounds access. [1]

Impact Analysis

This vulnerability can cause a process crash due to an out-of-bounds read when decoding empty Base64url strings. Although it requires high privileges to exploit and does not need user interaction, it can lead to denial of service by crashing the application. The impact on confidentiality, integrity, and availability is low, but the crash could disrupt normal operations of systems using CryptoLib. [1]

Detection Guidance

This vulnerability can be detected by checking if your system is running CryptoLib versions up to 1.4.2 and by monitoring for crashes or abnormal behavior related to base64url decoding of empty strings. Since the issue occurs in the base64urlDecode function when decoding empty Base64url strings, you can test this by running a program or script that calls this function with empty input and observing if it crashes. Specific commands depend on your environment, but generally, you can check the CryptoLib version installed and test the decoding function with empty input. For example, if you have access to the CryptoLib source or binaries, you might run a test program that calls base64urlDecode with an empty string and see if it crashes. There are no explicit detection commands provided in the resources. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade CryptoLib to version 1.4.3 or later, where the issue has been patched. The patch includes proper validation of input parameters and handling of empty input to prevent out-of-bounds reads. If upgrading immediately is not possible, avoid passing empty or NULL inputs to the base64urlDecode function to prevent triggering the vulnerability. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21899. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart