Cyber Resilience

CVE-2026-22023

HighPublic PoC

Published: 10 January 2026

Published
10 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 40.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22023 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Nasa Cryptolib. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-22023 is an out-of-bounds heap read vulnerability (CWE-125) in the cryptography_aead_encrypt() function within NASA's CryptoLib. CryptoLib is a software-only library that implements the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between spacecraft running the core Flight System (cFS) and ground stations. The flaw affects versions of CryptoLib prior to 1.4.3 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no authentication privileges or user interaction. Exploitation triggers an out-of-bounds heap read, resulting in high-impact availability disruption—such as denial-of-service through application crashes—while confidentiality and integrity remain unaffected.

NASA patched the vulnerability in CryptoLib version 1.4.3, as detailed in the project's GitHub release, the fixing commit (2372efd3da1ccb226b4297222e25f41ecc84821d), and the associated security advisory (GHSA-8w3h-q8jm-3chq). Security practitioners should update to version 1.4.3 or later to mitigate the issue.

EU & UK References

Vulnerability details

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, there is an…

more

out-of-bounds heap read vulnerability in cryptography_aead_encrypt(). This issue has been patched in version 1.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB heap read in network-exposed CryptoLib directly enables remote application crash for DoS via software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21898Same product: Nasa Cryptolib
CVE-2025-29910Same product: Nasa Cryptolib
CVE-2026-22026Same product: Nasa Cryptolib
CVE-2026-21900Same product: Nasa Cryptolib
CVE-2025-29911Same product: Nasa Cryptolib
CVE-2025-29913Same product: Nasa Cryptolib
CVE-2025-54878Same product: Nasa Cryptolib
CVE-2025-29909Same product: Nasa Cryptolib
CVE-2026-22697Same product: Nasa Cryptolib
CVE-2025-29912Same product: Nasa Cryptolib

Affected Assets

nasa
cryptolib
≤ 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of flaws like the out-of-bounds heap read in CryptoLib's cryptography_aead_encrypt() by applying the patch in version 1.4.3.

detect

Enables detection of the vulnerable CryptoLib version prior to version 1.4.3 through regular vulnerability scanning and monitoring.

prevent

Implements memory safeguards such as address space layout randomization that mitigate exploitation of heap-based out-of-bounds reads leading to denial-of-service.

References