CVE-2026-22027
Unknown Unknown - Not Provided
Heap-Based Buffer Overflow in CryptoLib MariaDB SA Interface

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the convert_hexstring_to_byte_array() function in the MariaDB SA interface writes decoded bytes into a caller-provided buffer without any capacity check. When importing SA fields from the database (e.g., IV, ARSN, ABM), a malformed or oversized hex string in the database can overflow the destination buffer, corrupting adjacent heap memory. This issue has been patched in version 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22027
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nasa cryptolib 1.4.3
mariadb mariadb to 1.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22027 is a heap buffer overflow vulnerability in the CryptoLib package's MariaDB Security Association (SA) interface. The function convert_hexstring_to_byte_array() converts hex strings from the database into byte arrays but does not check if the destination buffer is large enough. When importing SA fields like IV, ARSN, or ABM, a malformed or oversized hex string can overflow the buffer, corrupting adjacent heap memory. For example, a hex string representing 52 bytes can be written into a 16-byte buffer, causing overflow and memory corruption. This vulnerability was fixed in version 1.4.3 by adding proper bounds checking. [3]

Impact Analysis

This vulnerability can lead to heap memory corruption when the Security Association data is loaded from the database. An attacker who can modify database contents or exploit a misconfiguration could trigger this overflow, potentially causing process crashes or undefined behavior. The impact affects the integrity and availability of the system, possibly leading to denial of service or other stability issues. However, it requires high privileges and local access to exploit. [3]

Detection Guidance

This vulnerability can be detected by testing the CryptoLib environment with malformed or oversized hex strings in the database fields related to Security Associations (SA), such as IV, ARSN, or ABM. A practical approach is to use the provided proof-of-concept (PoC) code that simulates a MySQL client returning oversized hex strings to trigger the heap overflow. Running the PoC with AddressSanitizer (ASAN) enabled, either natively or via Docker, can reveal heap corruption issues. Specific commands would involve building and running the PoC with ASAN, for example: `docker build -t cryptolib-poc .` followed by `docker run --rm cryptolib-poc` or compiling the PoC with ASAN flags and executing it to observe memory errors. There are no direct network detection commands since the issue is local to the database interface and buffer handling. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade CryptoLib to version 1.4.3 or later, where the vulnerability has been fixed by adding proper bounds checking in the `convert_hexstring_to_byte_array()` function. Until the upgrade is applied, restrict or monitor access to the database to prevent injection or insertion of malformed or oversized hex strings in SA fields. Additionally, review and validate all hex string inputs from the database before processing to avoid buffer overflows. [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart