CVE-2026-22697
Published: 10 January 2026
Summary
CVE-2026-22697 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Nasa Cryptolib. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap overflow in a network-facing crypto service (KMC JSON response handling) directly enables exploitation of a public-facing application for RCE or DoS.
NVD Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib’s KMC crypto…
more
service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3.
Deeper analysisAI
CVE-2026-22697 is a heap buffer overflow vulnerability (CWE-122) in CryptoLib, a software-only library implementing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) for securing communications between spacecraft running the core Flight System (cFS) and ground stations. In versions prior to 1.4.3, the KMC crypto service integration mishandles Base64 decoding of ciphertext or cleartext fields in KMC JSON responses. The destination buffer is allocated based on an expected output length (len_data_out), but the decoder outputs based on the input Base64 length without enforcing bounds, allowing oversized inputs to trigger out-of-bounds heap writes. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An attacker with network access to a system using vulnerable CryptoLib can exploit this by crafting a KMC JSON response containing an oversized Base64-encoded string. No authentication or user interaction is required, enabling remote exploitation with low complexity. Successful exploitation causes heap corruption, reliably leading to process crashes that disrupt availability, and under certain conditions, could enable arbitrary code execution on the affected system.
NASA's GitHub security advisory (GHSA-qjx3-83jh-2jc4) and release notes for CryptoLib v1.4.3 detail the patch, which addresses the buffer sizing discrepancy in the Base64 decoder to prevent out-of-bounds writes. Security practitioners should upgrade to version 1.4.3 or later and review integrations with KMC services for exposure.
Details
- CWE(s)