{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21899", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.931Z", "datePublished": "2026-01-10T00:11:18.877Z", "dateUpdated": "2026-01-12T20:23:08.304Z"}, "containers": {"cna": {"title": "CryptoLib has an out-of-bounds read and crash vulnerability when decoding an empty Base64url string", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8"}, {"name": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3"}], "affected": [{"vendor": "nasa", "product": "CryptoLib", "versions": [{"version": "< 1.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T00:11:18.877Z"}, "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3."}], "source": {"advisory": "GHSA-wc29-5hw7-mpj8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T20:22:54.955002Z", "id": "CVE-2026-21899", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T20:23:08.304Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21899", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T20:22:54.955002Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T20:22:58.538Z"}}], "cna": {"title": "CryptoLib has an out-of-bounds read and crash vulnerability when decoding an empty Base64url string", "source": {"advisory": "GHSA-wc29-5hw7-mpj8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nasa", "product": "CryptoLib", "versions": [{"status": "affected", "version": "< 1.4.3"}]}], "references": [{"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8", "name": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "name": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T00:11:18.877Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21899", "state": "PUBLISHED", "dateUpdated": "2026-01-12T20:23:08.304Z", "dateReserved": "2026-01-05T17:24:36.931Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T00:11:18.877Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE1BE91E-2901-42AF-BC66-762CFA7A2582", "versionEndExcluding": "1.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3."}], "id": "CVE-2026-21899", "lastModified": "2026-01-15T21:45:24.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-10T01:16:18.113", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nasa/CryptoLib/releases/tag/v1.4.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:21:29.217894+00:00", "value": {"mitigation_remediation": ["Upgrade CryptoLib to version 1.4.3 or later to apply the patch that removes the out\u2011of\u2011bounds read.", "If an upgrade is not feasible, modify the calling code to validate that the input string length is greater than zero and that the input pointer is not NULL before invoking base64urlDecode.", "Implement additional runtime checks or error handling around CryptoLib\u2019s decoding functions to prevent accidental crashes caused by malformed or empty input."], "summary": {"action": "Patch", "impact": "Denial of Service via out\u2011of\u2011bounds read and crash"}, "threat_synthesis": {"affected_systems": "The issue exists in versions of NASA\u2019s CryptoLib prior to 1.4.3. All installations running CryptoLib 1.4.2 or earlier are susceptible. The fix is applied in release 1.4.3.", "description_and_impact": "CryptoLib\u2019s base64urlDecode function performs a padding\u2011stripping operation that dereferences input[inputLen - 1] before verifying that the input pointer is non\u2011null and that the length is greater than zero. When an empty Base64url string (length zero) or a NULL pointer with zero length is supplied, the function reads outside the bounds of the input array or dereferences a NULL pointer, causing the library to crash. The vulnerability is classified as an out\u2011of\u2011bounds read that leads to a denial of service through process termination. No remote code execution or data disclosure is directly possible from the information supplied.", "risk_and_exploitability": "With a CVSS score of 4.7, the vulnerability is moderate. The EPSS score is less than 1%, indicating a very low probability of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known active exploits. Attackers would need to provide an empty or NULL Base64url string to the base64urlDecode routine, which may be achievable if the library is exposed to untrusted input such as telemetry, command, or configuration streams. Proper validation or the official patch removes the possibility of a crash."}}}}, "created": "2026-01-12T14:36:36.063923+00:00", "updated": "2026-04-18T07:30:36.025126+00:00", "vendors": ["nasa", "nasa$PRODUCT$cryptolib"]}