Vulnerability Details CVE-2026-21899
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.6%
CVSS Severity
CVSS v3 Score 4.7
References
Products affected by CVE-2026-21899
-
cpe:2.3:a:nasa:cryptolib:1.0.0
-
cpe:2.3:a:nasa:cryptolib:1.0.1
-
cpe:2.3:a:nasa:cryptolib:1.0.2
-
cpe:2.3:a:nasa:cryptolib:1.0.3
-
cpe:2.3:a:nasa:cryptolib:1.1.0
-
cpe:2.3:a:nasa:cryptolib:1.1.1
-
cpe:2.3:a:nasa:cryptolib:1.2.0
-
cpe:2.3:a:nasa:cryptolib:1.2.1
-
cpe:2.3:a:nasa:cryptolib:1.2.2
-
cpe:2.3:a:nasa:cryptolib:1.2.3
-
cpe:2.3:a:nasa:cryptolib:1.3.0
-
cpe:2.3:a:nasa:cryptolib:1.3.1
-
cpe:2.3:a:nasa:cryptolib:1.3.2
-
cpe:2.3:a:nasa:cryptolib:1.3.3
-
cpe:2.3:a:nasa:cryptolib:1.4.0
-
cpe:2.3:a:nasa:cryptolib:1.4.1
-
cpe:2.3:a:nasa:cryptolib:1.4.2