CVE-2026-22024
Memory Leak in CryptoLib cryptography_encrypt() Causes Resource Exhaustion
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by causing gradual memory exhaustion in systems using CryptoLib versions prior to 1.4.3. Each call to the vulnerable function leaks memory, and under sustained traffic, this can accumulate and potentially lead to out-of-memory conditions, degrading system availability. However, it does not affect confidentiality or integrity of data. [1]
Can you explain this vulnerability to me?
CVE-2026-22024 is a moderate severity memory leak vulnerability in the cryptography_encrypt() function of the CryptoLib package (versions up to 1.4.2). The function allocates multiple buffers for handling HTTP requests and JSON parsing but fails to free them on any code path, causing approximately 400-500 bytes of memory to leak per call. Over time, with sustained traffic, this can lead to gradual exhaustion of available memory and potential out-of-memory conditions in long-running systems processing many encryption requests. Additionally, there is an out-of-bounds read vulnerability due to improper use of strtok in the same function. The issue was fixed in version 1.4.3. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using the provided Proof-of-Concept (PoC) code that includes a mock KMC HTTP server (`mock_kmc_server.py`) simulating encryption and decryption endpoints. Running the PoC client with AddressSanitizer (ASAN) and LeakSanitizer (LSAN) instrumentation on CryptoLib will reveal memory leaks and out-of-bounds reads. The ASAN/LSAN reports will indicate approximately 400 bytes leaked per call in nine allocations. Specific commands would involve building CryptoLib with ASAN enabled, running the mock server, and executing the PoC client to observe the sanitizer outputs. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade CryptoLib to version 1.4.3 or later, where the memory leak and related vulnerabilities have been fixed. If upgrading is not immediately possible, monitoring system memory usage for leaks during sustained traffic and limiting the rate of encryption requests may help reduce the risk of resource exhaustion until the patch can be applied. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CryptoLib causes a memory leak that can lead to resource exhaustion and degraded availability over time. However, it does not impact confidentiality or integrity of data. Since it does not affect data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity. The main impact is on system availability due to memory exhaustion under sustained traffic. [1]