← Volver a CVEs

CVE-2026-22027

MEDIUM

6.0

Descripcion

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the convert_hexstring_to_byte_array() function in the MariaDB SA interface writes decoded bytes into a caller-provided buffer without any capacity check. When importing SA fields from the database (e.g., IV, ARSN, ABM), a malformed or oversized hex string in the database can overflow the destination buffer, corrupting adjacent heap memory. This issue has been patched in version 1.4.3.

Detalles CVE

Puntuacion CVSS v3.16.0

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Vector de ataqueLOCAL

ComplejidadLOW

Privilegios requeridosHIGH

Interaccion usuarioNONE

Publicado1/10/2026

Ultima modificacion1/15/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

nasa:cryptolib

Debilidades (CWE)

CWE-122

Referencias

https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d(security-advisories@github.com)

https://github.com/nasa/CryptoLib/releases/tag/v1.4.3(security-advisories@github.com)

https://github.com/nasa/CryptoLib/security/advisories/GHSA-3m35-m689-h29x(security-advisories@github.com)

https://github.com/nasa/CryptoLib/security/advisories/GHSA-3m35-m689-h29x(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.