CVE-2026-22026
Unknown Unknown - Not Provided
Unbounded Memory Growth in CryptoLib KMC Client via libcurl

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the libcurl write_callback function in the KMC crypto service client allows unbounded memory growth by reallocating response buffers without any size limit or overflow check. A malicious KMC server can return arbitrarily large HTTP responses, forcing the client to allocate excessive memory until the process is terminated by the OS. This issue has been patched in version 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22026
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nasa cryptolib to 1.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22026 is a high-severity vulnerability in the KMC crypto service client of the CryptoLib package (versions ≀ 1.4.2). The vulnerability exists in the write_callback function that handles HTTP responses from the KMC server. This function reallocates memory buffers to store incoming data without any upper limit or overflow checks. A malicious KMC server can exploit this by sending arbitrarily large HTTP responses, causing the client to allocate excessive memory continuously until the operating system terminates the process due to resource exhaustion. This leads to a denial-of-service (DoS) condition by exhausting system memory. [1]

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) attack on systems using the vulnerable CryptoLib versions. A remote attacker controlling a malicious KMC server can send large HTTP responses that force the client to allocate excessive memory, leading to process termination or unresponsiveness due to out-of-memory conditions. This impacts availability severely, potentially disrupting communications between spacecraft and ground stations that rely on this software. [1]

Detection Guidance

This vulnerability can be detected by monitoring the KMC crypto service client's memory usage for abnormal or unbounded growth during communication with the KMC server. Additionally, testing with a proof-of-concept (PoC) mock KMC server that returns large HTTP responses (e.g., 1MB JSON at /decrypt-large endpoint) can reveal if the client is vulnerable by observing memory exhaustion or process termination. Specific commands are not provided, but running the PoC with AddressSanitizer (ASAN) enabled, either via Docker or natively with ASAN flags, can help detect the issue. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the CryptoLib package to version 1.4.3 or later, where the vulnerability in the write_callback function has been fixed by adding proper checks to prevent unbounded memory allocation. Until the upgrade, avoid connecting to untrusted or potentially malicious KMC servers that could send large HTTP responses causing memory exhaustion. [1, 3]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart