Description
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the cryptography_encrypt() function allocates multiple buffers for HTTP requests and JSON parsing that are never freed on any code path. Each call leaks approximately 400 bytes of memory. Sustained traffic can gradually exhaust available memory. This issue has been patched in version 1.4.3.
Published: 2026-01-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a memory leak in CryptoLib’s cryptography_encrypt() function. Each invocation allocates several buffers for HTTP requests and JSON parsing that are never released, resulting in a leak of roughly 400 bytes per call. Accumulated over sustained traffic, this leak can deplete available memory and bring the system to a state of denial of service. The weakness is a classic memory leak issue, classified as CWE-401, which undermines the integrity of the process’s resource allocation.

Affected Systems

The affected product is NASA’s CryptoLib, a software-only implementation of the CCSDS Space Data Link Security Protocol – Extended Procedures used for securing communications between a spacecraft’s core Flight System and a ground station. Versions of CryptoLib prior to 1.4.3 contain the flaw; the issue was corrected in the 1.4.3 release.

Risk and Exploitability

With a CVSS score of 6.3, the vulnerability carries medium severity, and the EPSS score of less than 1 % indicates a low probability of exploit at the time of assessment. The flaw is not listed in the CISA KEV catalog. Exploitation would typically occur through a flood of HTTP requests that trigger the encrypt function, causing maille to accumulate. Attackers with network access to the system or those who can generate such traffic could potentially bring a system to resource exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CryptoLib to version 1.4.3 or newer, which removes the memory‑allocation bug.
  • Implement request throttling or rate limiting for HTTP interfaces that invoke encrypted communication to constrain the rate of memory consumption.
  • Deploy monitoring that tracks available memory and triggers alerts when consumption rises rapidly, allowing early remediation before a full denial of service occurs.

Generated by OpenCVE AI on April 18, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Nasa
Nasa cryptolib
Vendors & Products Nasa
Nasa cryptolib

Sat, 10 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the cryptography_encrypt() function allocates multiple buffers for HTTP requests and JSON parsing that are never freed on any code path. Each call leaks approximately 400 bytes of memory. Sustained traffic can gradually exhaust available memory. This issue has been patched in version 1.4.3.
Title CryptoLib Memory Leak in KMC Encrypt Function Leads to Resource Exhaustion
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nasa Cryptolib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T20:08:55.439Z

Reserved: 2026-01-05T22:30:38.718Z

Link: CVE-2026-22024

cve-icon Vulnrichment

Updated: 2026-01-13T20:08:44.535Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T01:16:18.553

Modified: 2026-01-16T16:44:36.080

Link: CVE-2026-22024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses