CVE-2026-5475
Received Received - Intake
Memory Corruption in NASA cFS CCSDS Header Handler

Publication date: 2026-04-03

Last updated on: 2026-05-04

Assigner: VulDB

Description
A vulnerability was determined in NASA cFS up to 7.0.0. This impacts the function CFE_SB_TransmitMsg of the file cfe_sb_priv.c of the component CCSDS Header Size Handler. Executing a manipulation can lead to memory corruption. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5475
EUVD
EUVD-2026-18813
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nasa core_flight_system to 7.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in NASA cFS up to version 7.0.0 affects the function CFE_SB_TransmitMsg, which is responsible for transmitting messages within the Software Bus component. The issue arises because the function reads the message size from the CCSDS header's Length field and uses this size directly in a memcpy operation without verifying that the source buffer actually contains that many bytes.

If the CCSDS Length field specifies a size larger than the actual source buffer, memcpy reads beyond the buffer boundary, causing a buffer over-read. This results in copying unintended adjacent memory into the Software Bus buffer, which is then delivered to all subscribers of the message ID.

This flaw can lead to memory corruption and unintended information disclosure, especially on real-time operating systems without memory isolation. The root cause is the trust placed solely on the CCSDS Length field for message size without validating the actual source buffer size.

Impact Analysis

This vulnerability can lead to memory corruption and unintended information disclosure by copying data beyond the intended buffer boundaries.

On real-time operating systems without memory management unit isolation, such as VxWorks and RTEMS, this can cause cross-application information leaks.

Because the Software Bus is central to message transmission in NASA cFS and used by all applications, exploitation of this vulnerability can affect multiple components and lead to systemic security issues.

Detection Guidance

This vulnerability involves the function CFE_SB_TransmitMsg in NASA cFS, where the CCSDS Length field is trusted without validating the actual source buffer size, leading to potential memory corruption and buffer over-read.

Detection can involve monitoring or analyzing the use of CFE_SB_TransmitMsg calls with mismatched buffer sizes, especially where the CCSDS Length field is larger than the actual buffer.

A practical detection approach is to reproduce the issue using debugging tools such as AddressSanitizer (ASan) to identify heap-buffer-overflow conditions triggered by calls to CFE_SB_TransmitMsg with manipulated CCSDS Length fields.

Since this is a software-level vulnerability in a specific API, network-level detection commands are not directly applicable. Instead, static code analysis or runtime instrumentation of the cFS software focusing on calls to CFE_SB_TransmitMsg and buffer size validations is recommended.

No specific command-line commands are provided in the available resources for direct detection on a running system or network.

Mitigation Strategies

Immediate mitigation involves preventing the exploitation of the buffer over-read by ensuring that the CCSDS Length field is validated against the actual source buffer size before calling memcpy in CFE_SB_TransmitMsg.

Since the vulnerability arises from trusting the CCSDS Length field without validation, adding source buffer size checks at the API level is critical.

Until an official patch or update is released by the NASA cFS project, consider implementing runtime checks or wrappers around CFE_SB_TransmitMsg to verify buffer sizes.

Avoid using untrusted or manipulated CCSDS messages that could trigger the vulnerability.

Monitor for updates or patches from the NASA cFS project and apply them promptly once available.

Compliance Impact

The vulnerability in NASA cFS allows for unintended information disclosure due to a buffer over-read in the message transmission API. This can lead to cross-application information leaks on certain real-time operating systems without memory isolation.

Such unintended information disclosure could potentially impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding sensitive information against unauthorized access or leaks.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart