CVE-2026-22025
Unknown Unknown - Not Provided
Memory Leak in CryptoLib SDLS-EP Encryption Causes Resource Exhaustion

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, when the KMC server returns a non-200 HTTP status code, cryptography_encrypt() and cryptography_decrypt() return immediately without freeing previously allocated buffers. Each failed request leaks approximately 467 bytes. Repeated failures (from a malicious server or network issues) can gradually exhaust memory. This issue has been patched in version 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22025
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nasa cryptolib to 1.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22025 is a memory leak vulnerability in the KMC Client component of the CryptoLib package. When the KMC server returns a non-200 HTTP status code during cryptographic operations like encrypting or decrypting, the functions return immediately without freeing previously allocated memory buffers. Each failed request leaks about 467 bytes of memory. Repeated failures, whether caused by a malicious server or network issues, can gradually exhaust the system's memory. This issue was fixed in CryptoLib version 1.4.3. [3]

Impact Analysis

This vulnerability can lead to gradual memory exhaustion on systems using the affected CryptoLib versions. An attacker controlling the KMC server or performing a man-in-the-middle attack could repeatedly trigger error responses, causing the client to leak memory continuously. Over time, this can degrade system performance or cause crashes due to resource exhaustion, impacting availability. [3]

Detection Guidance

This vulnerability can be detected by monitoring for memory leaks in the CryptoLib KMC Client when it receives non-200 HTTP status codes from the KMC server. A Proof-of-Concept (PoC) uses AddressSanitizer (ASAN) and LeakSanitizer (LSAN) tools to detect leaks by sending requests to a mock server endpoint that returns HTTP 500 errors, triggering the leak. Specifically, running the PoC involves configuring the KMC client to connect to a mock server and invoking cryptography_decrypt() to observe memory leaks of approximately 467 bytes per failed call. While exact commands are not provided, using ASAN/LSAN with the CryptoLib client during error responses is the suggested detection method. [3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the CryptoLib package to version 1.4.3 or later, where the memory leak issue has been fixed. This release addresses the improper cleanup of allocated buffers on non-200 HTTP responses, preventing memory leaks and potential resource exhaustion. [2, 3]

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability is a memory leak issue that could lead to resource exhaustion but does not affect confidentiality or integrity of data, which are typically critical for regulatory compliance. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart