CVE-2026-22025
Memory Leak in CryptoLib SDLS-EP Encryption Causes Resource Exhaustion
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | to 1.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22025 is a memory leak vulnerability in the KMC Client component of the CryptoLib package. When the KMC server returns a non-200 HTTP status code during cryptographic operations like encrypting or decrypting, the functions return immediately without freeing previously allocated memory buffers. Each failed request leaks about 467 bytes of memory. Repeated failures, whether caused by a malicious server or network issues, can gradually exhaust the system's memory. This issue was fixed in CryptoLib version 1.4.3. [3]
How can this vulnerability impact me? :
This vulnerability can lead to gradual memory exhaustion on systems using the affected CryptoLib versions. An attacker controlling the KMC server or performing a man-in-the-middle attack could repeatedly trigger error responses, causing the client to leak memory continuously. Over time, this can degrade system performance or cause crashes due to resource exhaustion, impacting availability. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for memory leaks in the CryptoLib KMC Client when it receives non-200 HTTP status codes from the KMC server. A Proof-of-Concept (PoC) uses AddressSanitizer (ASAN) and LeakSanitizer (LSAN) tools to detect leaks by sending requests to a mock server endpoint that returns HTTP 500 errors, triggering the leak. Specifically, running the PoC involves configuring the KMC client to connect to a mock server and invoking cryptography_decrypt() to observe memory leaks of approximately 467 bytes per failed call. While exact commands are not provided, using ASAN/LSAN with the CryptoLib client during error responses is the suggested detection method. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the CryptoLib package to version 1.4.3 or later, where the memory leak issue has been fixed. This release addresses the improper cleanup of allocated buffers on non-200 HTTP responses, preventing memory leaks and potential resource exhaustion. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability is a memory leak issue that could lead to resource exhaustion but does not affect confidentiality or integrity of data, which are typically critical for regulatory compliance. [3]