Heap Buffer Overflow in CryptoLib Affects NASA's Space Communications
CVE-2025-30356

9.3CRITICAL

Key Information:

Vendor: Nasa
Status: Cryptolib
Vendor: CVE Published:; 1 April 2025

What is CVE-2025-30356?

CryptoLib, which utilizes the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to safeguard communication between spacecraft and ground stations, has a heap buffer overflow vulnerability. This issue arises in the Crypto_TC_ApplySecurity function owing to inadequate validation on the frame length (fl) field in versions 1.3.3 and earlier. Although previous patches addressed a related underflow issue, they failed to fully mitigate unsafe calculations. Attackers can exploit this vulnerability by crafting malicious frames that result in a negative tf_payload_len, leading to an overflow in memory operations, allowing potential remote execution of arbitrary code.

Affected Version(s)

CryptoLib <= 1.3.3

References

https://github.com/nasa/CryptoLib/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/nasa/CryptoLib/commit/59d1bce7608c94c6...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2025

Nasa

What is CVE-2025-30356?

Affected Version(s)

References

CVSS V4

Timeline