Out-of-Bounds Heap Read Vulnerability in CryptoLib Affecting NASA's Communication Security
CVE-2026-21900

8.2HIGH

Key Information:

Vendor

Nasa

Status
Cryptolib
Vendor
CVE Published:
10 January 2026

What is CVE-2026-21900?

CryptoLib, developed by NASA for securing communications between spacecraft and ground stations, contains an out-of-bounds heap read vulnerability in its cryptography_encrypt() function. This issue emerges when processing JSON metadata from KMC server responses, where a flaw in the strtok iteration leads to reading beyond allocated buffer limits. This occurs particularly with short or malformed metadata strings. A significant patch has been issued in version 1.4.3 to address this vulnerability, ensuring enhanced security in mission-critical applications. For detailed information on the vulnerability and its resolution, please visit the GitHub advisory and release notes.

Affected Version(s)

CryptoLib < 1.4.3

References

https://github.com/nasa/CryptoLib/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb22...
x_refsource_MISC
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.