CVE-2026-5475
Memory Corruption in NASA cFS CCSDS Header Handler
Publication date: 2026-04-03
Last updated on: 2026-05-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | core_flight_system | to 7.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in NASA cFS up to version 7.0.0 affects the function CFE_SB_TransmitMsg, which is responsible for transmitting messages within the Software Bus component. The issue arises because the function reads the message size from the CCSDS header's Length field and uses this size directly in a memcpy operation without verifying that the source buffer actually contains that many bytes.
If the CCSDS Length field specifies a size larger than the actual source buffer, memcpy reads beyond the buffer boundary, causing a buffer over-read. This results in copying unintended adjacent memory into the Software Bus buffer, which is then delivered to all subscribers of the message ID.
This flaw can lead to memory corruption and unintended information disclosure, especially on real-time operating systems without memory isolation. The root cause is the trust placed solely on the CCSDS Length field for message size without validating the actual source buffer size.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption and unintended information disclosure by copying data beyond the intended buffer boundaries.
On real-time operating systems without memory management unit isolation, such as VxWorks and RTEMS, this can cause cross-application information leaks.
Because the Software Bus is central to message transmission in NASA cFS and used by all applications, exploitation of this vulnerability can affect multiple components and lead to systemic security issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the function CFE_SB_TransmitMsg in NASA cFS, where the CCSDS Length field is trusted without validating the actual source buffer size, leading to potential memory corruption and buffer over-read.
Detection can involve monitoring or analyzing the use of CFE_SB_TransmitMsg calls with mismatched buffer sizes, especially where the CCSDS Length field is larger than the actual buffer.
A practical detection approach is to reproduce the issue using debugging tools such as AddressSanitizer (ASan) to identify heap-buffer-overflow conditions triggered by calls to CFE_SB_TransmitMsg with manipulated CCSDS Length fields.
Since this is a software-level vulnerability in a specific API, network-level detection commands are not directly applicable. Instead, static code analysis or runtime instrumentation of the cFS software focusing on calls to CFE_SB_TransmitMsg and buffer size validations is recommended.
No specific command-line commands are provided in the available resources for direct detection on a running system or network.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves preventing the exploitation of the buffer over-read by ensuring that the CCSDS Length field is validated against the actual source buffer size before calling memcpy in CFE_SB_TransmitMsg.
Since the vulnerability arises from trusting the CCSDS Length field without validation, adding source buffer size checks at the API level is critical.
Until an official patch or update is released by the NASA cFS project, consider implementing runtime checks or wrappers around CFE_SB_TransmitMsg to verify buffer sizes.
Avoid using untrusted or manipulated CCSDS messages that could trigger the vulnerability.
Monitor for updates or patches from the NASA cFS project and apply them promptly once available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in NASA cFS allows for unintended information disclosure due to a buffer over-read in the message transmission API. This can lead to cross-application information leaks on certain real-time operating systems without memory isolation.
Such unintended information disclosure could potentially impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding sensitive information against unauthorized access or leaks.
However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these common standards and regulations.