CVE-2026-5474
Heap-Based Buffer Overflow in NASA cFS CCSDS Packet Handler
Publication date: 2026-04-03
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | core_flight_system | to 7.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to a heap-based buffer overflow, which may allow an attacker to corrupt memory, potentially causing crashes, unexpected behavior, or execution of arbitrary code.
Since the attacker needs local network access, the risk is limited to environments where such access is possible.
Can you explain this vulnerability to me?
This vulnerability exists in NASA cFS up to version 7.0.0, specifically in the function CFE_MSG_GetSize within the file to_lab_passthru_encode.c of the CCSDS Packet Header Handler component. It is a heap-based buffer overflow that can be triggered by manipulating the function.
An attacker must have access to the local network to exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a heap-based buffer overflow that can lead to the leakage of adjacent heap memory over UDP telemetry. This unintended data exposure could potentially include sensitive information.
Such data leakage may impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized disclosure.
However, the provided information does not specify the nature of the leaked data or whether it includes regulated personal or health information.
Therefore, while the vulnerability poses a risk of data exposure that could affect compliance, the exact impact on standards like GDPR or HIPAA cannot be determined from the given information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for heap-buffer-overflow reads during the processing of UDP packets with CCSDS headers in the NASA Core Flight System (cFS). Specifically, running cFS with AddressSanitizer (ASan) enabled can detect the heap-buffer-overflow when a crafted UDP packet with an inflated CCSDS Length field is sent.
To reproduce and detect the issue, you can build cFS Draco with ASan enabled, run it with CI_LAB and TO_LAB applications, and send a UDP packet to CI_LAB with a valid CCSDS header but a Length field claiming a larger size than the actual payload.
- Use AddressSanitizer (ASan) to detect heap-buffer-overflow during runtime.
- Send a crafted UDP packet with a CCSDS header where the Length field is larger than the actual payload size.
- Monitor logs or ASan output for heap-buffer-overflow errors related to TO_LAB_EncodeOutputMessage or OS_SocketSendTo calls.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves validating or clamping the CCSDS-derived message size against the actual buffer allocation or the maximum allowed message size before sending data over UDP.
Since the vulnerability arises because TO_LAB_EncodeOutputMessage trusts the CCSDS header length without bounds checking, applying input validation to ensure the length field does not exceed buffer sizes is critical.
If possible, apply patches or updates that implement these validations in the TO_LAB passthru encode path or at the Software Bus API level (CFE_SB_TransmitMsg) to prevent similar issues.
- Implement bounds checking on CCSDS Length fields before using them to determine buffer sizes.
- Restrict network access to trusted sources to reduce the risk of local network attackers exploiting this vulnerability.
- Use runtime protections such as AddressSanitizer during testing to detect and fix buffer overflows.