CVE-2026-21900 is an out-of-bounds heap read vulnerability classified under CWE-125 found in NASA's CryptoLib, a software-only implementation of the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP). CryptoLib secures communications between spacecraft running the core Flight System (cFS) and ground stations. The vulnerability exists in versions prior to 1.4.3 within the cryptography_encrypt() function, which processes JSON metadata received from Key Management Center (KMC) server responses. The root cause is a flawed iteration pattern using strtok that calculates the next token pointer as ptr + strlen(ptr) + 1, which can read one byte beyond the allocated buffer when handling short or malformed metadata strings. This out-of-bounds read can lead to memory disclosure or cause application instability, potentially enabling attackers to glean sensitive information or disrupt spacecraft communication security. The vulnerability is exploitable remotely over the network without requiring privileges or user interaction, increasing its risk profile. Although no public exploits are currently known, the high CVSS score (8.2) reflects the significant impact and ease of exploitation. The issue was patched in CryptoLib version 1.4.3 by correcting the parsing logic to prevent buffer overreads. Given CryptoLib’s specialized use in space communication systems, the threat primarily targets aerospace and space research organizations relying on this library for secure data link protocols.

For European organizations, particularly those engaged in aerospace, satellite communications, and space research, this vulnerability poses a serious risk. Exploitation could lead to unauthorized disclosure of sensitive cryptographic metadata or cause denial of service conditions in critical communication links between spacecraft and ground stations. This could compromise mission integrity, data confidentiality, and operational availability of space assets. The impact extends to national space agencies, research institutions, and private aerospace companies using CryptoLib or derived systems. Disruption or data leakage in these contexts could have strategic and economic consequences, affecting satellite operations, scientific missions, and national security interests. Additionally, compromised communication security might expose European space infrastructure to espionage or sabotage attempts by hostile actors. The vulnerability’s network-exploitable nature means attackers can attempt exploitation remotely, increasing the urgency for mitigation in European aerospace sectors.

European organizations should immediately upgrade to CryptoLib version 1.4.3 or later to remediate the vulnerability. Beyond patching, implement strict validation and sanitization of JSON metadata received from KMC servers to prevent malformed inputs from triggering parsing errors. Employ memory safety analysis tools and fuzz testing on cryptographic components to detect similar issues proactively. Network monitoring should be enhanced to detect anomalous traffic patterns or malformed metadata exchanges indicative of exploitation attempts. Organizations should also review and harden their supply chain and update management processes to ensure timely deployment of security patches in aerospace communication systems. Collaboration with NASA and other space agencies for threat intelligence sharing and coordinated response is advisable. Finally, consider implementing additional cryptographic protocol safeguards and redundancy in communication channels to mitigate potential disruptions.