CVE-2026-5474
Published: 03 April 2026
Summary
CVE-2026-5474 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Nasa Core Flight System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of incoming CCSDS packet sizes and structures to prevent heap-based buffer overflows from malformed inputs lacking proper bounds checking.
Implements memory protection mechanisms such as heap canaries, address space layout randomization, and non-executable memory to mitigate exploitation of heap buffer overflows.
Establishes network boundary protections like firewalls or segmentation to restrict adjacent network access required to deliver malicious packets to the vulnerable CCSDS Packet Header Handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in network packet handler (CCSDS) allows unauthenticated remote exploitation over adjacent network to cause memory corruption and limited impacts, directly enabling exploitation of remote services.
NVD Description
A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE_MSG_GetSize of the file apps/to_lab/fsw/src/to_lab_passthru_encode.c of the component CCSDS Packet Header Handler. Performing a manipulation results in heap-based buffer overflow. The attacker must have access to…
more
the local network to execute the attack. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-5474 is a heap-based buffer overflow vulnerability in NASA's core Flight System (cFS) versions up to 7.0.0. The issue resides in the CFE_MSG_GetSize function within the file apps/to_lab/fsw/src/to_lab_passthru_encode.c, part of the CCSDS Packet Header Handler component. Triggered by packet manipulation, it stems from improper bounds checking, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
An attacker with adjacent network access (AV:A) can exploit this vulnerability remotely over the local network without requiring privileges (PR:N) or user interaction (UI:N), due to low attack complexity (AC:L). Successful exploitation leads to limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing partial data disclosure, modification, or denial of service via heap corruption within the affected cFS instance.
References, including the NASA cFS GitHub repository and issue #952, indicate the project was notified early via an issue report but has not yet responded or issued patches. VulDB entries (vuln/355078 and related CTI) document the flaw but provide no mitigation guidance beyond general network segmentation to limit adjacent access. Security practitioners should monitor the GitHub issue for updates and consider isolating cFS deployments from untrusted local networks.
Details
- CWE(s)