CVE-2026-22027
Heap-Based Buffer Overflow in CryptoLib MariaDB SA Interface
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | cryptolib | 1.4.3 |
| mariadb | mariadb | to 1.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22027 is a heap buffer overflow vulnerability in the CryptoLib package's MariaDB Security Association (SA) interface. The function convert_hexstring_to_byte_array() converts hex strings from the database into byte arrays but does not check if the destination buffer is large enough. When importing SA fields like IV, ARSN, or ABM, a malformed or oversized hex string can overflow the buffer, corrupting adjacent heap memory. For example, a hex string representing 52 bytes can be written into a 16-byte buffer, causing overflow and memory corruption. This vulnerability was fixed in version 1.4.3 by adding proper bounds checking. [3]
How can this vulnerability impact me? :
This vulnerability can lead to heap memory corruption when the Security Association data is loaded from the database. An attacker who can modify database contents or exploit a misconfiguration could trigger this overflow, potentially causing process crashes or undefined behavior. The impact affects the integrity and availability of the system, possibly leading to denial of service or other stability issues. However, it requires high privileges and local access to exploit. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the CryptoLib environment with malformed or oversized hex strings in the database fields related to Security Associations (SA), such as IV, ARSN, or ABM. A practical approach is to use the provided proof-of-concept (PoC) code that simulates a MySQL client returning oversized hex strings to trigger the heap overflow. Running the PoC with AddressSanitizer (ASAN) enabled, either natively or via Docker, can reveal heap corruption issues. Specific commands would involve building and running the PoC with ASAN, for example: `docker build -t cryptolib-poc .` followed by `docker run --rm cryptolib-poc` or compiling the PoC with ASAN flags and executing it to observe memory errors. There are no direct network detection commands since the issue is local to the database interface and buffer handling. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade CryptoLib to version 1.4.3 or later, where the vulnerability has been fixed by adding proper bounds checking in the `convert_hexstring_to_byte_array()` function. Until the upgrade is applied, restrict or monitor access to the database to prevent injection or insertion of malformed or oversized hex strings in SA fields. Additionally, review and validate all hex string inputs from the database before processing to avoid buffer overflows. [3, 2]