CVE-2026-22023
Out-of-Bounds Heap Read in CryptoLib SDLS-EP Encryption
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | to 1.4.3 (exc) |
| nasa | cryptolib | From 1.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22023 is a high-severity vulnerability in the CryptoLib package affecting versions up to 1.4.2. It is an out-of-bounds heap read caused by improper use of the strtok function in the cryptography_aead_encrypt() function. Specifically, the code incorrectly advances pointers while parsing metadata from JSON responses, leading to reads beyond the allocated buffer boundaries. This flaw can be triggered remotely by a malicious or compromised Key Management Component (KMC) server sending crafted JSON responses, causing the encryption function to crash due to heap-buffer-overflow reads. The vulnerability has been fixed in version 1.4.3 by correcting the strtok usage to prevent out-of-bounds reads. [3]
How can this vulnerability impact me? :
This vulnerability can be exploited remotely without any privileges or user interaction by a malicious or compromised KMC server. The primary impact is a denial of service (DoS) caused by the application crashing during the AEAD encryption process due to heap-buffer-overflow reads. There is no direct impact on confidentiality or integrity, but the crash can disrupt secure communications between spacecraft and ground stations relying on CryptoLib. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for application crashes or denial of service symptoms in the CryptoLib AEAD encryption function, specifically in cryptography_aead_encrypt(). Using AddressSanitizer (ASAN) during testing or runtime can detect heap-buffer-overflow reads caused by the flawed strtok usage. A practical approach is to run the CryptoLib client with ASAN enabled to catch out-of-bounds heap reads. There is also a provided Proof of Concept (PoC) that simulates a malicious KMC server returning crafted JSON responses to trigger the vulnerability. Specific commands would involve compiling CryptoLib with ASAN instrumentation and running the client against a test server simulating malicious responses. However, exact command lines are not provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade CryptoLib to version 1.4.3 or later, where the vulnerability has been fixed by correcting the strtok usage to prevent out-of-bounds reads. Additionally, avoid using vulnerable versions (β€ 1.4.2) in production environments. If upgrading is not immediately possible, consider restricting or validating KMC server responses to prevent malicious crafted JSON inputs that trigger the vulnerability. Monitoring for crashes and applying patches promptly is critical. [2, 3]