CVE-2026-21900
Out-of-Bounds Heap Read in CryptoLib SDLS-EP Encryption
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | to 1.4.3 (exc) |
| nasa | cryptolib | 1.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21900 is an out-of-bounds (OOB) read vulnerability in the cryptography_encrypt() function of the CryptoLib package. It occurs when parsing JSON metadata from KMC server responses due to incorrect use of the strtok function. The code manually advances the pointer by strlen(ptr) + 1, which causes reads one byte past the allocated buffer boundaries when processing short or malformed metadata strings. This leads to heap and stack OOB reads. [2]
How can this vulnerability impact me? :
The vulnerability can cause a crash or denial of service (DoS) through segmentation faults or AddressSanitizer aborts. Exploitation requires no privileges or user interaction and can be triggered remotely by a malicious or compromised KMC server or a man-in-the-middle attacker returning crafted JSON responses with short or malformed metadata strings. There is no reported impact on confidentiality or integrity; the impact is limited to availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial of service (DoS) events in the CryptoLib software, especially those triggered by malformed or short JSON metadata responses from the KMC server. Using AddressSanitizer (ASAN) during builds and runtime can help detect heap-buffer-overflow errors at the vulnerable strtok calls. Additionally, running the provided proof of concept (PoC) programs (in C or Python) that simulate a malicious KMC server returning crafted JSON responses can help reproduce and detect the issue. Specific commands would involve building CryptoLib with ASAN enabled and running the PoC, but exact commands are not provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade CryptoLib to version 1.4.3 or later, where the vulnerability has been fixed by correcting the strtok usage pattern. Developers should replace the flawed manual pointer arithmetic in strtok iterations with proper calls using strtok(NULL, delimiter). Until the upgrade is applied, avoid processing untrusted or malformed JSON metadata from KMC servers, and consider monitoring for abnormal crashes or DoS symptoms. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.