{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21898", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.931Z", "datePublished": "2026-01-10T00:10:29.925Z", "dateUpdated": "2026-01-12T20:22:05.827Z"}, "containers": {"cna": {"title": "CryptoLib Has Out-of-bounds Read in Crypto_AOS_ProcessSecurity", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853"}, {"name": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3"}], "affected": [{"vendor": "nasa", "product": "CryptoLib", "versions": [{"version": "< 1.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T00:10:29.925Z"}, "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3."}], "source": {"advisory": "GHSA-7ch6-2pmg-m853", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T20:22:02.691151Z", "id": "CVE-2026-21898", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T20:22:05.827Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21898", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T20:22:02.691151Z"}}}], "references": [{"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T20:21:53.657Z"}}], "cna": {"title": "CryptoLib Has Out-of-bounds Read in Crypto_AOS_ProcessSecurity", "source": {"advisory": "GHSA-7ch6-2pmg-m853", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nasa", "product": "CryptoLib", "versions": [{"status": "affected", "version": "< 1.4.3"}]}], "references": [{"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853", "name": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "name": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T00:10:29.925Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21898", "state": "PUBLISHED", "dateUpdated": "2026-01-12T20:22:05.827Z", "dateReserved": "2026-01-05T17:24:36.931Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T00:10:29.925Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582", "versionEndExcluding": "1.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3."}], "id": "CVE-2026-21898", "lastModified": "2026-01-15T21:48:49.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T01:16:17.957", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:21:37.592226+00:00", "value": {"mitigation_remediation": ["Install CryptoLib version 1.4.3 or later to apply the bounds-checking fix.", "Limit who can send AOS frames when the library is not yet updated, reducing the chance of malicious input reaching Crypto_AOS_ProcessSecurity.", "Disable or reject malformed AOS frames until the patch is deployed to prevent exploitation of the read vulnerability."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected systems are those running NASA\u2019s CryptoLib before the 1.4.3 release. Any installation of CryptoLib that implements the CCSDS Space Data Link Security Protocol and processes AOS frames is vulnerable. Versions up to and including 1.4.2 lack the necessary bounds checks and therefore are at risk.", "description_and_impact": "The CryptoLib library implements the CCSDS Space Data Link Security Protocol for spacecraft and ground station communications. Its Crypto_AOS_ProcessSecurity function parses AOS frame hashes, but prior to version 1.4.3 it reads memory without properly checking bounds. This out-of-bounds read (CWE-125) can allow an attacker to read arbitrary data from the process\u2019s address space, potentially exposing cryptographic keys or other sensitive information. The flaw does not directly allow code execution but provides a path for information disclosure that could compromise mission confidentiality.", "risk_and_exploitability": "With a CVSS score of 8.2, this fault is considered high severity. The EPSS score is below 1\u202f%, suggesting that exploitation is unlikely at present, and no record exists in the CISA KEV catalog. However, the weakness requires crafted input that reaches Crypto_AOS_ProcessSecurity, so an attacker would need the ability to inject or modify AOS frames on the communication link. If this condition is met, the out-of-bounds read could leak confidential material, but would not directly execute code."}}}}, "created": "2026-01-12T14:36:33.362851+00:00", "updated": "2026-04-18T07:30:36.025738+00:00", "vendors": ["nasa", "nasa$PRODUCT$cryptolib"]}