CVE-2026-5474
Received Received - Intake
Heap-Based Buffer Overflow in NASA cFS CCSDS Packet Handler

Publication date: 2026-04-03

Last updated on: 2026-04-30

Assigner: VulDB

Description
A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE_MSG_GetSize of the file apps/to_lab/fsw/src/to_lab_passthru_encode.c of the component CCSDS Packet Header Handler. Performing a manipulation results in heap-based buffer overflow. The attacker must have access to the local network to execute the attack. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5474
EUVD
EUVD-2026-18807
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nasa core_flight_system to 7.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

Exploitation of this vulnerability can lead to a heap-based buffer overflow, which may allow an attacker to corrupt memory, potentially causing crashes, unexpected behavior, or execution of arbitrary code.

Since the attacker needs local network access, the risk is limited to environments where such access is possible.

Executive Summary

This vulnerability exists in NASA cFS up to version 7.0.0, specifically in the function CFE_MSG_GetSize within the file to_lab_passthru_encode.c of the CCSDS Packet Header Handler component. It is a heap-based buffer overflow that can be triggered by manipulating the function.

An attacker must have access to the local network to exploit this vulnerability.

Compliance Impact

The vulnerability causes a heap-based buffer overflow that can lead to the leakage of adjacent heap memory over UDP telemetry. This unintended data exposure could potentially include sensitive information.

Such data leakage may impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized disclosure.

However, the provided information does not specify the nature of the leaked data or whether it includes regulated personal or health information.

Therefore, while the vulnerability poses a risk of data exposure that could affect compliance, the exact impact on standards like GDPR or HIPAA cannot be determined from the given information.

Detection Guidance

This vulnerability can be detected by monitoring for heap-buffer-overflow reads during the processing of UDP packets with CCSDS headers in the NASA Core Flight System (cFS). Specifically, running cFS with AddressSanitizer (ASan) enabled can detect the heap-buffer-overflow when a crafted UDP packet with an inflated CCSDS Length field is sent.

To reproduce and detect the issue, you can build cFS Draco with ASan enabled, run it with CI_LAB and TO_LAB applications, and send a UDP packet to CI_LAB with a valid CCSDS header but a Length field claiming a larger size than the actual payload.

  • Use AddressSanitizer (ASan) to detect heap-buffer-overflow during runtime.
  • Send a crafted UDP packet with a CCSDS header where the Length field is larger than the actual payload size.
  • Monitor logs or ASan output for heap-buffer-overflow errors related to TO_LAB_EncodeOutputMessage or OS_SocketSendTo calls.
Mitigation Strategies

Immediate mitigation involves validating or clamping the CCSDS-derived message size against the actual buffer allocation or the maximum allowed message size before sending data over UDP.

Since the vulnerability arises because TO_LAB_EncodeOutputMessage trusts the CCSDS header length without bounds checking, applying input validation to ensure the length field does not exceed buffer sizes is critical.

If possible, apply patches or updates that implement these validations in the TO_LAB passthru encode path or at the Software Bus API level (CFE_SB_TransmitMsg) to prevent similar issues.

  • Implement bounds checking on CCSDS Length fields before using them to determine buffer sizes.
  • Restrict network access to trusted sources to reduce the risk of local network attackers exploiting this vulnerability.
  • Use runtime protections such as AddressSanitizer during testing to detect and fix buffer overflows.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart