CVE-2026-22025 is a vulnerability identified in NASA's CryptoLib, a software-only implementation of the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP), which secures communications between spacecraft running the core Flight System (cFS) and ground stations. The vulnerability arises in versions prior to 1.4.3 when the Key Management Center (KMC) server responds with a non-200 HTTP status code. Under these conditions, the cryptography_encrypt() and cryptography_decrypt() functions return immediately without releasing previously allocated memory buffers, resulting in a memory leak of approximately 467 bytes per failed request. This leak accumulates with repeated failures, which can be triggered either by maliciously crafted server responses or network issues causing repeated errors. Over time, this memory exhaustion can degrade system performance or cause application crashes, impacting the availability of critical cryptographic operations in spacecraft communication systems. The vulnerability does not affect confidentiality or integrity directly, as it does not expose sensitive data or allow unauthorized data modification. Exploitation requires no authentication or user interaction, making it remotely exploitable over the network. The issue has been addressed in CryptoLib version 1.4.3, which properly frees memory buffers even when errors occur. No known exploits are currently reported in the wild. The CVSS v4.0 score of 6.3 reflects a medium severity, considering the network attack vector, lack of required privileges, and the impact limited to availability degradation. The vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-770 (Allocation of Resources Without Limits or Throttling).

For European organizations, the primary impact of CVE-2026-22025 is on the availability and reliability of systems using NASA's CryptoLib for securing spacecraft communications. This is particularly relevant for aerospace companies, satellite operators, and research institutions involved in space missions or satellite ground station operations. Memory exhaustion caused by repeated failed cryptographic operations can lead to system slowdowns, crashes, or denial of service, potentially disrupting critical communication links between spacecraft and ground control. While the vulnerability does not compromise confidentiality or integrity, the loss of availability in space communication systems can have severe operational consequences, including loss of telemetry data, command execution failures, and mission delays. European space agencies and contractors relying on CryptoLib or derivative implementations may face increased risk if they have not applied the patch. Additionally, organizations operating satellite ground stations or involved in space data processing could experience service interruptions. The vulnerability's exploitation does not require authentication, increasing the risk from external network-based attackers or misconfigured servers. However, the absence of known exploits in the wild suggests limited immediate threat but underscores the need for proactive mitigation.

To mitigate CVE-2026-22025, European organizations should immediately upgrade to CryptoLib version 1.4.3 or later, where the memory leak issue has been resolved. In environments where immediate upgrade is not feasible, implement monitoring of memory usage in systems running CryptoLib to detect abnormal memory growth indicative of exploitation or network-induced failures. Network-level controls should be employed to ensure the integrity and reliability of the KMC server responses, including validating HTTP status codes and implementing retry logic with backoff to reduce repeated failed requests. Additionally, organizations should audit their cryptographic communication workflows to identify and remediate any misconfigurations that could cause frequent non-200 HTTP responses. Implementing resource usage limits or throttling on cryptographic operations can help prevent resource exhaustion. Finally, maintain up-to-date incident response plans for availability-related incidents in space communication systems and coordinate with vendors and space agencies for timely patch deployment and vulnerability disclosures.