Cyber Resilience

CVE-2026-21900

HighPublic PoC

Published: 10 January 2026

Published
10 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21900 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Nasa Cryptolib. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap…

more

read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-22023Same product: Nasa Cryptolib
CVE-2026-21898Same product: Nasa Cryptolib
CVE-2025-29913Same product: Nasa Cryptolib
CVE-2025-29909Same product: Nasa Cryptolib
CVE-2025-29910Same product: Nasa Cryptolib
CVE-2025-29911Same product: Nasa Cryptolib
CVE-2026-22697Same product: Nasa Cryptolib
CVE-2025-29912Same product: Nasa Cryptolib
CVE-2025-30216Same product: Nasa Cryptolib
CVE-2026-21897Same product: Nasa Cryptolib

Affected Assets

nasa
cryptolib
≤ 1.4.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References