CVE-2026-22023 identifies a heap-based out-of-bounds read vulnerability (CWE-125) in the cryptography_aead_encrypt() function of NASA's CryptoLib software prior to version 1.4.3. CryptoLib implements the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP), which is designed to secure communication links between spacecraft running the core Flight System (cFS) and their corresponding ground stations. The vulnerability arises when the function attempts to read memory beyond the allocated heap buffer, potentially exposing sensitive cryptographic material or causing undefined behavior. This flaw can be triggered remotely without requiring authentication or user interaction, making it accessible to attackers with network access to the communication channel. The CVSS 4.0 score of 8.2 reflects the high impact on confidentiality and integrity, with no impact on availability. The vulnerability does not require privileges or user interaction, increasing its exploitability. While no known exploits have been reported in the wild, the critical nature of space communication security makes this vulnerability particularly concerning. The issue was addressed and patched in CryptoLib version 1.4.3, which corrects the bounds checking in the encryption function to prevent out-of-bounds reads. Organizations using affected versions should upgrade immediately to mitigate risks. Given the specialized application in space communications, the vulnerability primarily affects aerospace and governmental entities involved in satellite operations and space missions.

The primary impact of CVE-2026-22023 is on the confidentiality and integrity of communications between spacecraft and ground stations. An out-of-bounds read can lead to leakage of sensitive cryptographic keys or data, potentially allowing attackers to decrypt or manipulate secure communications. For European organizations involved in space missions, satellite operations, or ground station management, exploitation could compromise mission-critical data, leading to loss of sensitive information or disruption of command and control functions. Although availability is not directly impacted, the integrity breach could cause erroneous commands or data corruption, indirectly affecting mission success. The vulnerability's remote exploitability without authentication increases the risk profile, especially for ground stations exposed to external networks. Given the strategic importance of space assets for communications, navigation, and defense, successful exploitation could have significant operational and national security consequences for affected European countries.

1. Immediate upgrade to CryptoLib version 1.4.3 or later to apply the official patch that fixes the out-of-bounds read vulnerability. 2. Conduct a thorough inventory of all systems using CryptoLib, especially those involved in space communications and ground station operations, to identify and remediate vulnerable versions. 3. Implement network segmentation and strict access controls to limit exposure of ground station communication interfaces to untrusted networks, reducing the attack surface. 4. Employ intrusion detection systems (IDS) and anomaly detection tailored to space communication protocols to monitor for unusual activity indicative of exploitation attempts. 5. Regularly audit and review cryptographic key management practices to detect any unauthorized access or leakage potentially resulting from exploitation. 6. Collaborate with space agencies and cybersecurity organizations to share threat intelligence and coordinate response efforts. 7. Develop incident response plans specific to space communication infrastructure to quickly address potential breaches.