CVE-2026-21899 is an out-of-bounds (OOB) read vulnerability classified as CWE-125 in NASA's CryptoLib, a software-only implementation of the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP). This library secures communications between spacecraft running the core Flight System (cFS) and ground stations. The vulnerability exists in the base64urlDecode function, where the code attempts to strip padding by dereferencing input[inputLen - 1] without first verifying that inputLen is greater than zero or that the input pointer is not NULL. If inputLen is zero, this results in an OOB read at input[-1], potentially causing a process crash or undefined behavior. If input is NULL and inputLen is zero, the code dereferences a NULL pointer offset by -1, which can lead to a segmentation fault or crash. The vulnerability affects all CryptoLib versions prior to 1.4.3 and has been patched in that release. The CVSS v3.1 score is 4.7 (medium), with an attack vector of network, low attack complexity, requiring high privileges, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The flaw could be leveraged to disrupt secure communications or cause denial of service in space communication systems relying on this library.

For European organizations, particularly those involved in aerospace, satellite communications, and space research, this vulnerability could disrupt critical communication links between spacecraft and ground stations, potentially leading to loss of data confidentiality, integrity, and availability. Although the attack requires high privileges, exploitation could allow attackers to crash processes handling secure communications, causing denial of service and possibly enabling further attacks on the communication infrastructure. This could impact national space agencies, research institutions, and companies involved in satellite operations or space mission support. The disruption of secure data links could delay mission-critical operations or compromise sensitive telemetry data. Given the specialized nature of the affected software, the impact is likely limited to organizations using NASA’s CryptoLib or cFS-based systems, but these are often strategic assets with high operational importance.

European organizations using CryptoLib should immediately upgrade to version 1.4.3 or later where the vulnerability is patched. In addition to patching, organizations should implement strict input validation and boundary checks on all inputs to base64urlDecode or similar functions to prevent malformed or zero-length inputs from triggering OOB reads. Conduct thorough code audits of any custom integrations with CryptoLib to ensure no unsafe assumptions about input length or null pointers exist. Employ runtime protections such as memory safety tools (e.g., AddressSanitizer) during development and testing to detect similar issues early. Network segmentation and strict access controls should be enforced to limit exposure of systems running CryptoLib, especially since exploitation requires high privileges. Monitoring and logging of process crashes or unusual behavior in communication systems can help detect attempted exploitation. Finally, maintain close coordination with NASA and relevant space agencies for updates and advisories.