CVE-2026-22023
Unknown Unknown - Not Provided
Out-of-Bounds Heap Read in CryptoLib SDLS-EP Encryption

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, there is an out-of-bounds heap read vulnerability in cryptography_aead_encrypt(). This issue has been patched in version 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22023
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nasa cryptolib to 1.4.3 (exc)
nasa cryptolib From 1.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22023 is a high-severity vulnerability in the CryptoLib package affecting versions up to 1.4.2. It is an out-of-bounds heap read caused by improper use of the strtok function in the cryptography_aead_encrypt() function. Specifically, the code incorrectly advances pointers while parsing metadata from JSON responses, leading to reads beyond the allocated buffer boundaries. This flaw can be triggered remotely by a malicious or compromised Key Management Component (KMC) server sending crafted JSON responses, causing the encryption function to crash due to heap-buffer-overflow reads. The vulnerability has been fixed in version 1.4.3 by correcting the strtok usage to prevent out-of-bounds reads. [3]

Impact Analysis

This vulnerability can be exploited remotely without any privileges or user interaction by a malicious or compromised KMC server. The primary impact is a denial of service (DoS) caused by the application crashing during the AEAD encryption process due to heap-buffer-overflow reads. There is no direct impact on confidentiality or integrity, but the crash can disrupt secure communications between spacecraft and ground stations relying on CryptoLib. [3]

Detection Guidance

This vulnerability can be detected by monitoring for application crashes or denial of service symptoms in the CryptoLib AEAD encryption function, specifically in cryptography_aead_encrypt(). Using AddressSanitizer (ASAN) during testing or runtime can detect heap-buffer-overflow reads caused by the flawed strtok usage. A practical approach is to run the CryptoLib client with ASAN enabled to catch out-of-bounds heap reads. There is also a provided Proof of Concept (PoC) that simulates a malicious KMC server returning crafted JSON responses to trigger the vulnerability. Specific commands would involve compiling CryptoLib with ASAN instrumentation and running the client against a test server simulating malicious responses. However, exact command lines are not provided in the resources. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade CryptoLib to version 1.4.3 or later, where the vulnerability has been fixed by correcting the strtok usage to prevent out-of-bounds reads. Additionally, avoid using vulnerable versions (≀ 1.4.2) in production environments. If upgrading is not immediately possible, consider restricting or validating KMC server responses to prevent malicious crafted JSON inputs that trigger the vulnerability. Monitoring for crashes and applying patches promptly is critical. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart