Logic Bug in F Prime Framework Allows Arbitrary File Write in Embedded Applications
CVE-2026-41144

NONE

Key Information:

Vendor: Nasa
Status: Fprime
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-41144?

A logic bug in the F Prime framework prior to version 4.2.0 allows for an attacker to bypass bounds checks on file writes, leading to potential remote code execution. An attacker can craft a DataPacket that exploits the overflow of byte offsets, writing arbitrary data to any file at any offset without proper sanitization of the destination file path. This allows unauthorized modifications and manipulations within embedded systems. The issue is not detected by ASAN due to valid buffer access during memory operations. A patch is available in version 4.2.0, with no known workarounds.

Affected Version(s)

fprime < 4.2.0

References

https://github.com/nasa/fprime/security/advisories/GHSA-q...

x_refsource_CONFIRM

https://github.com/nasa/fprime/commit/cacdd555456bd83ab39...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41144 Data

JSON

Nasa

What is CVE-2026-41144?

Affected Version(s)

References

CVSS V3.1

Timeline