CVE-2026-22025 identifies a memory leak vulnerability in NASA's CryptoLib software library, which implements the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between spacecraft running the core Flight System (cFS) and ground stations. The vulnerability arises when the KMC server responds with a non-200 HTTP status code during cryptographic operations. Specifically, the cryptography_encrypt() and cryptography_decrypt() functions return immediately upon such failure without releasing previously allocated memory buffers, leaking approximately 467 bytes per failed request. Over time, repeated failures—whether due to malicious interference or network instability—can cause gradual memory exhaustion, potentially leading to denial-of-service conditions. The vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-770 (Allocation of Resources Without Limits or Throttling). It affects all CryptoLib versions prior to 1.4.3, with no known exploits in the wild as of the publication date. The CVSS v4.0 base score is 6.3, reflecting a medium severity level, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability does not impact confidentiality, integrity, or availability directly but can degrade availability through resource exhaustion. The issue has been addressed in CryptoLib version 1.4.3 by ensuring proper memory deallocation on error paths.

For European organizations, particularly those engaged in aerospace, satellite communications, or space research using NASA's CryptoLib, this vulnerability poses a risk of denial-of-service due to memory exhaustion. Systems running affected versions may experience degraded performance or crashes if subjected to repeated failed cryptographic operations, whether caused by network instability or malicious actors manipulating KMC server responses. This could interrupt critical spacecraft-to-ground communications, impacting mission operations, data integrity, and command/control functions. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact on mission-critical systems could have significant operational and financial consequences. Given the specialized nature of the software, the impact is concentrated on organizations involved in space systems development, satellite ground stations, and related research institutions within Europe.

European organizations should immediately upgrade all instances of NASA CryptoLib to version 1.4.3 or later to ensure the memory leak is patched. In addition, implement robust monitoring of memory usage on systems running CryptoLib to detect abnormal memory consumption patterns indicative of exploitation attempts or network issues causing repeated failures. Network-level controls should be employed to ensure the integrity and reliability of communications with the KMC server, including validating server responses and implementing retry logic with exponential backoff to reduce repeated failed requests. Where feasible, isolate critical cryptographic components in hardened environments with resource limits to mitigate potential denial-of-service effects. Regularly audit and update dependencies to incorporate security patches promptly. Finally, coordinate with space communication infrastructure providers to ensure end-to-end security and resilience against manipulation or network disruptions.