CVE-2026-21900
Unknown Unknown - Not Provided
Out-of-Bounds Heap Read in CryptoLib SDLS-EP Encryption

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21900
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nasa cryptolib to 1.4.3 (exc)
nasa cryptolib 1.4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-21900 is an out-of-bounds (OOB) read vulnerability in the cryptography_encrypt() function of the CryptoLib package. It occurs when parsing JSON metadata from KMC server responses due to incorrect use of the strtok function. The code manually advances the pointer by strlen(ptr) + 1, which causes reads one byte past the allocated buffer boundaries when processing short or malformed metadata strings. This leads to heap and stack OOB reads. [2]

Impact Analysis

The vulnerability can cause a crash or denial of service (DoS) through segmentation faults or AddressSanitizer aborts. Exploitation requires no privileges or user interaction and can be triggered remotely by a malicious or compromised KMC server or a man-in-the-middle attacker returning crafted JSON responses with short or malformed metadata strings. There is no reported impact on confidentiality or integrity; the impact is limited to availability. [2]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service (DoS) events in the CryptoLib software, especially those triggered by malformed or short JSON metadata responses from the KMC server. Using AddressSanitizer (ASAN) during builds and runtime can help detect heap-buffer-overflow errors at the vulnerable strtok calls. Additionally, running the provided proof of concept (PoC) programs (in C or Python) that simulate a malicious KMC server returning crafted JSON responses can help reproduce and detect the issue. Specific commands would involve building CryptoLib with ASAN enabled and running the PoC, but exact commands are not provided in the resources. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade CryptoLib to version 1.4.3 or later, where the vulnerability has been fixed by correcting the strtok usage pattern. Developers should replace the flawed manual pointer arithmetic in strtok iterations with proper calls using strtok(NULL, delimiter). Until the upgrade is applied, avoid processing untrusted or malformed JSON metadata from KMC servers, and consider monitoring for abnormal crashes or DoS symptoms. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21900. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart