CVE-2026-22027 is a heap-based buffer overflow vulnerability identified in NASA's CryptoLib, a software-only cryptographic library implementing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP). This protocol secures communications between spacecraft running the core Flight System (cFS) and ground stations. The vulnerability resides in the convert_hexstring_to_byte_array() function within the MariaDB SA interface component of CryptoLib versions prior to 1.4.3. This function decodes hex strings from the database into byte arrays but fails to verify that the caller-provided buffer has sufficient capacity before writing the decoded bytes. Consequently, if a malformed or oversized hex string is present in the database fields such as IV, ARSN, or ABM, the function writes beyond the allocated buffer, causing heap memory corruption. This can lead to unpredictable behavior including application crashes, data corruption, or potentially arbitrary code execution if an attacker can control the input. Exploitation requires local access with high privileges, as indicated by the CVSS vector (AV:L/PR:H), and no user interaction is necessary. The vulnerability impacts confidentiality, integrity, and availability due to the potential for memory corruption and privilege escalation. The flaw has been addressed in CryptoLib version 1.4.3 by adding proper capacity checks. No public exploits or active exploitation campaigns have been reported to date. Organizations using CryptoLib in aerospace or space communication systems should assess their versions and apply the patch promptly to mitigate risks.

For European organizations, particularly those engaged in aerospace, satellite communications, or space research, this vulnerability poses a risk of memory corruption that could disrupt critical communication links between spacecraft and ground stations. The heap overflow could lead to denial of service via application crashes or, in worst cases, privilege escalation allowing attackers to execute arbitrary code within the affected system. Given the specialized nature of CryptoLib and its use in securing space data links, exploitation could compromise mission-critical operations, data integrity, and confidentiality of sensitive aerospace communications. Although exploitation requires high privileges and local access, insider threats or compromised administrative accounts could leverage this vulnerability to escalate control or disrupt operations. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as space agencies and contractors in Europe increasingly collaborate on satellite and space missions. Disruption or compromise of these systems could have cascading effects on national security, scientific research, and commercial satellite services.

European organizations should immediately verify if they are running CryptoLib versions prior to 1.4.3 and plan an urgent upgrade to version 1.4.3 or later where the vulnerability is patched. Since the vulnerability arises from unchecked buffer writes in the MariaDB SA interface, organizations should audit their use of database inputs related to CryptoLib and implement strict input validation and sanitization for hex string fields to prevent malformed or oversized data from being processed. Restricting access to systems running CryptoLib to trusted administrators and enforcing the principle of least privilege will reduce the risk of exploitation. Additionally, monitoring for unusual application crashes or memory corruption events in systems using CryptoLib can provide early detection of attempted exploitation. Employing runtime protections such as heap memory integrity checks and address space layout randomization (ASLR) can further mitigate exploitation impact. Finally, organizations should engage with NASA or the CryptoLib maintainers for any additional security advisories and follow best practices for securing aerospace communication infrastructure.