CVE-2026-22026
Published: 10 January 2026
Summary
CVE-2026-22026 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Nasa Cryptolib. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of uncontrolled memory allocation in the client to force OOM termination, directly mapping to application/system exploitation for endpoint denial of service.
NVD Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the libcurl write_callback…
more
function in the KMC crypto service client allows unbounded memory growth by reallocating response buffers without any size limit or overflow check. A malicious KMC server can return arbitrarily large HTTP responses, forcing the client to allocate excessive memory until the process is terminated by the OS. This issue has been patched in version 1.4.3.
Deeper analysisAI
CVE-2026-22026 affects CryptoLib, a software-only library implementing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) for securing communications between spacecraft running NASA's core Flight System (cFS) and ground stations. Prior to version 1.4.3, the libcurl write_callback function in the KMC crypto service client suffers from unbounded memory growth due to reallocating response buffers without size limits or overflow checks, as associated with CWE-789 (Uncontrolled Memory Allocation). This vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact availability disruption.
A remote attacker positioned as a malicious KMC server can exploit this issue by crafting and returning arbitrarily large HTTP responses to a vulnerable client. No privileges, user interaction, or special conditions are required, enabling exploitation over the network with low complexity. Successful attacks force the client process to allocate excessive memory, leading to denial-of-service via out-of-memory termination by the operating system.
NASA's GitHub security advisory (GHSA-w9cm-q69w-34x7), release notes for v1.4.3, and the patching commit (2372efd3da1ccb226b4297222e25f41ecc84821d) confirm the issue is fully addressed in CryptoLib version 1.4.3, recommending immediate upgrades for affected deployments.
Details
- CWE(s)