CVE-2026-21898
Published: 10 January 2026
Summary
CVE-2026-21898 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Nasa Cryptolib. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and bounds checking on parsed AOS frame hashes to prevent out-of-bounds memory reads during processing.
Implements memory protection mechanisms that mitigate the impact of out-of-bounds reads, such as preventing unauthorized memory access or corruption leading to crashes or disclosure.
Ensures timely identification, reporting, and patching of flaws like the bounds-checking omission fixed in CryptoLib v1.4.3.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in network-facing protocol parser directly enables remote application crash/DoS via crafted frames (CWE-125).
NVD Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function…
more
reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3.
Deeper analysisAI
CVE-2026-21898 is a memory safety vulnerability in NASA's CryptoLib, a software-only library implementing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) for securing communications between spacecraft running the core Flight System (cFS) and ground stations. Specifically, versions prior to 1.4.3 suffer from an out-of-bounds read in the Crypto_AOS_ProcessSecurity function during parsing of AOS frame hashes, due to a lack of valid bounds checking (CWE-125). This flaw has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating high severity primarily from availability impact.
A remote, unauthenticated attacker with network access to the affected system can exploit this vulnerability with low complexity and no user interaction required. By sending specially crafted AOS frames containing malformed hashes, the attacker triggers the out-of-bounds memory read, potentially leading to application crashes, denial of service, or limited information disclosure through memory contents.
The vulnerability has been addressed in CryptoLib version 1.4.3, as detailed in the project's GitHub security advisory (GHSA-7ch6-2pmg-m853) and release notes. Security practitioners using CryptoLib in spaceflight communication stacks should upgrade to v1.4.3 or later to mitigate the issue.
Details
- CWE(s)