Cyber Resilience

CVE-2026-21897

High

Published: 10 January 2026

Published
10 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0003 9.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21897 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Nasa Cryptolib. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SA-15 (Development Process, Standards, and Tools).

Deeper analysis

CVE-2026-21897 is an out-of-bounds write vulnerability (CWE-787) affecting NASA's CryptoLib, a software-only library that implements the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between spacecraft running the core Flight System (cFS) and ground stations. In versions prior to 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function only checks if gvcid_counter exceeds GVCID_MAN_PARAM_SIZE, permitting a 251st entry that writes past the end of gvcid_managed_parameters_array[250] and overwrites the immediately adjacent gvcid_counter variable.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction. Attackers can trigger the out-of-bounds write, corrupting gvcid_counter to an arbitrary value and potentially disrupting parameter lookup and registration logic that depends on it.

NASA patched the issue in CryptoLib version 1.4.3. Relevant details are available in the security advisory at https://github.com/nasa/CryptoLib/security/advisories/GHSA-9x7j-gx23-7m5r and the release notes at https://github.com/nasa/CryptoLib/releases/tag/v1.4.3.

EU & UK References

Vulnerability details

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function…

more

only checks whether gvcid_counter > GVCID_MAN_PARAM_SIZE. As a result, it allows up to the 251st entry, which causes a write past the end of the array, overwriting gvcid_counter located immediately after gvcid_managed_parameters_array[250]. This leads to an out-of-bounds write, and the overwritten gvcid_counter may become an arbitrary value, potentially affecting the parameter lookup/registration logic that relies on it. This issue has been patched in version 1.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote out-of-bounds write in network-exposed CryptoLib library directly enables exploitation of a public-facing application handling spacecraft/ground comms.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30216Same product: Nasa Cryptolib
CVE-2025-29909Same product: Nasa Cryptolib
CVE-2025-29912Same product: Nasa Cryptolib
CVE-2026-22697Same product: Nasa Cryptolib
CVE-2025-29911Same product: Nasa Cryptolib
CVE-2025-29913Same product: Nasa Cryptolib
CVE-2025-54878Same product: Nasa Cryptolib
CVE-2026-22023Same product: Nasa Cryptolib
CVE-2025-29910Same product: Nasa Cryptolib
CVE-2026-21898Same product: Nasa Cryptolib

Affected Assets

nasa
cryptolib
≤ 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the Crypto_Config_Add_Gvcid_Managed_Parameters function so that gvcid_counter cannot exceed the declared array bound.

prevent

Mandates use of secure development standards and tools that would have prevented the missing bounds check that produced the out-of-bounds write.

respondrecover

Requires timely application of the vendor patch (v1.4.3) that corrects the flawed bounds check in the affected function.

References