CVE-2026-21897
Published: 10 January 2026
Summary
CVE-2026-21897 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Nasa Cryptolib. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote out-of-bounds write in network-exposed CryptoLib library directly enables exploitation of a public-facing application handling spacecraft/ground comms.
NVD Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function…
more
only checks whether gvcid_counter > GVCID_MAN_PARAM_SIZE. As a result, it allows up to the 251st entry, which causes a write past the end of the array, overwriting gvcid_counter located immediately after gvcid_managed_parameters_array[250]. This leads to an out-of-bounds write, and the overwritten gvcid_counter may become an arbitrary value, potentially affecting the parameter lookup/registration logic that relies on it. This issue has been patched in version 1.4.3.
Deeper analysisAI
CVE-2026-21897 is an out-of-bounds write vulnerability (CWE-787) affecting NASA's CryptoLib, a software-only library that implements the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between spacecraft running the core Flight System (cFS) and ground stations. In versions prior to 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function only checks if gvcid_counter exceeds GVCID_MAN_PARAM_SIZE, permitting a 251st entry that writes past the end of gvcid_managed_parameters_array[250] and overwrites the immediately adjacent gvcid_counter variable.
The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction. Attackers can trigger the out-of-bounds write, corrupting gvcid_counter to an arbitrary value and potentially disrupting parameter lookup and registration logic that depends on it.
NASA patched the issue in CryptoLib version 1.4.3. Relevant details are available in the security advisory at https://github.com/nasa/CryptoLib/security/advisories/GHSA-9x7j-gx23-7m5r and the release notes at https://github.com/nasa/CryptoLib/releases/tag/v1.4.3.
Details
- CWE(s)