Description
A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-03
Score: 2 Low
EPSS: n/a
KEV: No
Impact: Local code execution through insecure deserialization
Action: Assess Impact
AI Analysis

Impact

The vulnerability arises from the use of Python’s pickle.load function within the cFS Pickle Module, allowing an attacker to deserialize crafted data and execute arbitrary code. The issue is confined to local attackers who can supply data to the component; a high level of technical skill and complexity is required to craft a successful exploit, but once achieved it can compromise the entire cFS installation by running arbitrary code.

Affected Systems

The affected product is NASA cFS, with all releases up to and including version 7.0.0. No specific subcomponents or modules are listed beyond the Pickle Module, but the vulnerability can impact any instance of cFS that uses this function without proper input validation.

Risk and Exploitability

The CVSS score is 2, indicating low severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. The attack requires local access and detailed knowledge of the pickle payload, which makes exploitation difficult in practice; however, in environments where local control is possible, the risk of local code execution remains present.

Generated by OpenCVE AI on April 3, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your cFS deployment uses a version newer than 7.0.0; if not, seek an update from NASA as soon as a fix is released.
  • If no patch is available, restrict local access to the cFS instance or quarantine the machine from untrusted local users who could provide malicious pickle payloads.
  • Disable or remove the use of pickle.load for untrusted data within the cFS configuration, if feasible.
  • Monitor NASA cFS release notes and security advisories for any updates or workarounds related to this issue.

Generated by OpenCVE AI on April 3, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title NASA cFS Pickle pickle.load deserialization
First Time appeared Nasa
Nasa cfs
Weaknesses CWE-20
CWE-502
CPEs cpe:2.3:a:nasa:cfs:*:*:*:*:*:*:*:*
Vendors & Products Nasa
Nasa cfs
References
Metrics cvssV2_0

{'score': 3.5, 'vector': 'AV:L/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nasa Cfs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T16:30:13.683Z

Reserved: 2026-04-03T07:44:07.881Z

Link: CVE-2026-5473

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T17:16:54.203

Modified: 2026-04-03T17:16:54.203

Link: CVE-2026-5473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:06Z

Weaknesses