Description
F´ (F Prime) is a framework that enables development and deployment of spaceflight and other embedded software applications. Prior to version 4.2.0, the bounds check byteOffset + dataSize > fileSize uses U32 addition that wraps around on overflow. An attacker-crafted DataPacket with byteOffset=0xFFFFFF9C and dataSize=100 overflows to 0, bypassing the check entirely. The subsequent file write proceeds at the original ~4GB offset. Additionally, Svc/FileUplink/File.cpp:20-31 performs no sanitization on the destination file path. Combined, these allow writing arbitrary data to any file at any offset. The impact is arbitrary file write leading to remote code execution on embedded targets. Note that this is a logic bug. ASAN does not detect it because all memory accesses are within valid buffers — the corruption occurs in file I/O. Version 4.2.0 contains a patch. No known workarounds are available.
Published: 2026-04-21
Score: 0 Low
EPSS: n/a
KEV: No
Impact: Arbitrary file write leading to remote code execution
Action: Patch the framework
AI Analysis

Impact

A logic flaw in the F Prime FileUplink component causes an unsigned integer overflow when calculating the boundary byteOffset + dataSize against the fileSize. An attacker can send a crafted packet with a large byteOffset that wraps to zero, bypassing the bounds check and writing data starting at an offset close to the full 4GB range. In addition, the code that writes to the destination file performs no validation of the file path, enabling a write to any arbitrary file. The combination of these defects permits an attacker to inject arbitrary data into any file on the target system, which can then be used to achieve remote code execution on the embedded device. Affected systems are deployments of NASA’s F Prime framework older than version 4.2.0. The vulnerability is present in the natural file uplink used by many spaceflight and other embedded software applications that rely on F Prime for data transfer. Risk and exploitability: The flaw has no public exploit probability score available and is not listed in the CISA KEV catalog, but its potential impact is severe. The vulnerability requires the ability to send a specially crafted data packet and access to the FileUplink service, which may be exposed locally or remotely depending on the deployment. Because the corruption occurs at the file I/O layer, typical memory corruption detection tools do not catch it. Attackers who succeed can overwrite critical binaries or configuration files, resulting in complete compromise of an embedded target.

Affected Systems

Affected systems are deployments of NASA’s F Prime framework older than version 4.2.0. The vulnerability is present in the natural file uplink used by many spaceflight and other embedded software applications that rely on F Prime for data transfer.

Risk and Exploitability

Risk and exploitability: The flaw has no public exploit probability score available and is not listed in the CISA KEV catalog, but its potential impact is severe. The vulnerability requires the ability to send a specially crafted data packet and access to the FileUplink service, which may be exposed locally or remotely depending on the deployment. Because the corruption occurs at the file I/O layer, typical memory corruption detection tools do not catch it. Attackers who succeed can overwrite critical binaries or configuration files, resulting in complete compromise of an embedded target.

Generated by OpenCVE AI on April 22, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update F Prime to version 4.2.0 or later, which contains the integer‑overflow and path‑sanitation fix.
  • If an update cannot be applied immediately, disable or restrict the FileUplink service to only trusted sources.
  • Add explicit validation of payload lengths and destination paths before performing file writes in any custom or legacy implementation.

Generated by OpenCVE AI on April 22, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Nasa
Nasa fprime
Vendors & Products Nasa
Nasa fprime

Wed, 22 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description F´ (F Prime) is a framework that enables development and deployment of spaceflight and other embedded software applications. Prior to version 4.2.0, the bounds check byteOffset + dataSize > fileSize uses U32 addition that wraps around on overflow. An attacker-crafted DataPacket with byteOffset=0xFFFFFF9C and dataSize=100 overflows to 0, bypassing the check entirely. The subsequent file write proceeds at the original ~4GB offset. Additionally, Svc/FileUplink/File.cpp:20-31 performs no sanitization on the destination file path. Combined, these allow writing arbitrary data to any file at any offset. The impact is arbitrary file write leading to remote code execution on embedded targets. Note that this is a logic bug. ASAN does not detect it because all memory accesses are within valid buffers — the corruption occurs in file I/O. Version 4.2.0 contains a patch. No known workarounds are available.
Title F´ (F Prime) has Integer Overflow in FileUplink
Weaknesses CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Nasa Fprime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T23:58:11.855Z

Reserved: 2026-04-17T12:59:15.739Z

Link: CVE-2026-41144

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:29.550

Modified: 2026-04-22T00:16:29.550

Link: CVE-2026-41144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses