CVE-2026-22026
Unbounded Memory Growth in CryptoLib KMC Client via libcurl
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | to 1.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22026 is a high-severity vulnerability in the KMC crypto service client of the CryptoLib package (versions β€ 1.4.2). The vulnerability exists in the write_callback function that handles HTTP responses from the KMC server. This function reallocates memory buffers to store incoming data without any upper limit or overflow checks. A malicious KMC server can exploit this by sending arbitrarily large HTTP responses, causing the client to allocate excessive memory continuously until the operating system terminates the process due to resource exhaustion. This leads to a denial-of-service (DoS) condition by exhausting system memory. [1]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) attack on systems using the vulnerable CryptoLib versions. A remote attacker controlling a malicious KMC server can send large HTTP responses that force the client to allocate excessive memory, leading to process termination or unresponsiveness due to out-of-memory conditions. This impacts availability severely, potentially disrupting communications between spacecraft and ground stations that rely on this software. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the KMC crypto service client's memory usage for abnormal or unbounded growth during communication with the KMC server. Additionally, testing with a proof-of-concept (PoC) mock KMC server that returns large HTTP responses (e.g., 1MB JSON at /decrypt-large endpoint) can reveal if the client is vulnerable by observing memory exhaustion or process termination. Specific commands are not provided, but running the PoC with AddressSanitizer (ASAN) enabled, either via Docker or natively with ASAN flags, can help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the CryptoLib package to version 1.4.3 or later, where the vulnerability in the write_callback function has been fixed by adding proper checks to prevent unbounded memory allocation. Until the upgrade, avoid connecting to untrusted or potentially malicious KMC servers that could send large HTTP responses causing memory exhaustion. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.