CVE-2026-21898 HIGH

CVE-2026-21898: CryptoLib Has Out-of-bounds Read in Crypto_AOS_ProcessSecurity

Vendor Nasa
Product CryptoLib
Weakness CWE-125
Published January 10, 2026
Last update January 12, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

What the vulnerability does

01Description

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3.

Key dates

02Disclosure timeline

January 10, 2026 CVE published
January 12, 2026 Record updated

Related vulnerabilities

04Related CVE