CVE-2025-61910 affects NASA JPL's Interplanetary Overlay Network (ION) Delay/Disruption Tolerant Networking (DTN) software version 4.1.3s. The vulnerability is triggered by a malformed BPv7 bundle containing a CBOR-encoded extension block with a specific structure: a five-element array where the fifth element is a byte string of length 27. The ION-DTN software incorrectly processes this byte string, leading to an integer signedness conversion error. The block length is stored as an unsigned int but then cast to a signed 32-bit integer, resulting in a negative value (-369092043). This negative value is subsequently converted to a large 64-bit unsigned integer when passed to the memory allocation function MTAKE(). Consequently, the software attempts to allocate an unrealistic amount of memory, causing the receiver thread to terminate and resulting in a Denial-of-Service (DoS). The vulnerability does not affect confidentiality or integrity but severely impacts availability. The attack vector is network-based, requiring no privileges or user interaction, making it easily exploitable remotely. No patches or mitigations have been published at the time of disclosure, and no known exploits are currently active in the wild. The root cause lies in improper input validation and unsafe type casting in the code handling extension blocks (bei.c at line 764).

For European organizations, the primary impact is a Denial-of-Service condition that can disrupt critical communication systems relying on ION-DTN, particularly in aerospace, satellite communications, and research institutions involved in space networking. The vulnerability could cause receiver threads to crash, leading to loss of data transmission capability and degraded network reliability. This can affect mission-critical operations, data collection, and interplanetary communication experiments. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact can have cascading effects on dependent systems and services. Given the specialized nature of ION-DTN, the affected organizations are likely niche but strategically important, including space agencies, research labs, and satellite operators. Disruptions could delay scientific missions or satellite operations, potentially causing financial and reputational damage. The lack of patches increases the urgency for implementing compensating controls.

Since no official patches are available, European organizations should implement the following mitigations: 1) Deploy network-level filtering to block malformed BPv7 bundles or suspicious extension blocks, especially those containing unusually large byte strings or malformed CBOR arrays. 2) Employ strict input validation and anomaly detection on incoming DTN traffic to identify and discard malformed bundles before processing. 3) Isolate ION-DTN instances within segmented network zones with limited exposure to untrusted sources to reduce attack surface. 4) Monitor system logs and receiver thread health to detect early signs of exploitation attempts or crashes. 5) Engage with the vendor or NASA JPL for updates and potential patches, and consider contributing to or tracking open-source fixes. 6) If feasible, implement runtime memory allocation limits or sandboxing around the vulnerable code paths to prevent excessive memory requests. 7) Conduct regular security assessments and penetration testing focused on DTN implementations to identify and remediate similar issues proactively.