Memory Leak in CryptoLib Using CCSDS Protocol by NASA
CVE-2026-22025

6.3MEDIUM

Key Information:

Vendor

Nasa

Status
Cryptolib
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22025?

CryptoLib, utilized for securing communications via the CCSDS Space Data Link Security Protocol, has an issue that leads to memory leakage. When the KMC server does not respond with a 200 HTTP status code, the functions cryptography_encrypt() and cryptography_decrypt() fail to release previously allocated memory. Each unsuccessful HTTP request results in approximately 467 bytes of memory being unreleased, which can gradually consume system memory resources when faced with repeated failures, whether from a malicious server or network disruptions. This vulnerability has been addressed in version 1.4.3.

Affected Version(s)

CryptoLib < 1.4.3

References

https://github.com/nasa/CryptoLib/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb22...
x_refsource_MISC
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.