Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64096

CVE-2025-64096: NASA Cryptolib Buffer Overflow Vulnerability

CVE-2025-64096 is a stack-based buffer overflow flaw in NASA Cryptolib that allows remote attackers to trigger memory corruption via spoofed TLV packets. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-64096 Overview

CVE-2025-64096 is a stack-based buffer overflow vulnerability in NASA CryptoLib, a software-only implementation of the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP). The library secures communications between spacecraft running the core Flight System (cFS) and ground stations. The vulnerability resides in the Crypto_Key_update() function within crypto_key_mgmt.c and stems from a missing bounds check on an attacker-controlled length field. A remote attacker with low privileges can supply a crafted TLV packet to trigger memory corruption. The flaw affects CryptoLib versions prior to 1.4.2 and is fixed in release 1.4.2.

Critical Impact

A remote authenticated attacker can corrupt stack memory in the key management routine, potentially leading to arbitrary code execution within spacecraft-to-ground communication infrastructure.

Affected Products

  • NASA CryptoLib versions prior to 1.4.2
  • Spacecraft systems running core Flight System (cFS) that integrate CryptoLib
  • Ground station software using CryptoLib for SDLS-EP key management

Discovery Timeline

  • 2025-10-30 - CVE-2025-64096 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64096

Vulnerability Analysis

The vulnerability is classified as a stack-based buffer overflow [CWE-121] in the Crypto_Key_update() function defined in crypto_key_mgmt.c. CryptoLib parses Type-Length-Value (TLV) packets as part of the SDLS-EP key management protocol. The function derives the number of keys to process from the pdu_len field supplied in the incoming TLV packet. The code does not validate pdu_len against the fixed size of the local stack array kblk[98] before iterating and writing key block entries. An attacker who supplies a spoofed pdu_len larger than 98 forces the loop to write past the bounds of the stack buffer, corrupting adjacent stack memory including saved return addresses.

Root Cause

The root cause is missing input validation on a length field that originates from untrusted network input. The Crypto_Key_update() function trusts the protocol-supplied pdu_len value and uses it directly to compute write offsets into the static kblk[98] buffer. Without a comparison against the array capacity, the calculation produces out-of-bounds writes whenever the attacker-controlled count exceeds the static allocation.

Attack Vector

Exploitation requires network access to the CryptoLib endpoint and low-level privileges sufficient to submit SDLS-EP key management PDUs. The attacker constructs a TLV packet declaring a pdu_len value that causes the derived key count to exceed 98. When CryptoLib processes the packet, the overflow writes attacker-controlled bytes into stack memory beyond kblk[]. The attack does not require user interaction, and successful corruption can yield code execution in the context of the spacecraft or ground station process handling secure link communications.

No public proof-of-concept code is available. Technical details are described in the NASA CryptoLib GitHub Security Advisory.

Detection Methods for CVE-2025-64096

Indicators of Compromise

  • SDLS-EP TLV packets containing pdu_len values that imply more than 98 key blocks
  • Unexpected process crashes or segmentation faults in CryptoLib-linked binaries during key update operations
  • Anomalous restart events on cFS-based spacecraft software components that handle key management

Detection Strategies

  • Inspect SDLS-EP packet flows for malformed TLV structures and oversized length fields prior to delivery to CryptoLib
  • Deploy memory-safety instrumentation such as AddressSanitizer in test environments to surface out-of-bounds writes in Crypto_Key_update()
  • Correlate ground station telemetry with command uplink logs to identify suspicious key management activity

Monitoring Recommendations

  • Log all SDLS-EP key update PDUs with source identifiers and length fields for retrospective analysis
  • Alert on repeated parsing failures or crashes within processes that link CryptoLib
  • Monitor configuration management systems for the presence of CryptoLib versions earlier than 1.4.2

How to Mitigate CVE-2025-64096

Immediate Actions Required

  • Upgrade CryptoLib to version 1.4.2 or later on all spacecraft and ground station systems
  • Audit cFS deployments and ground software builds to identify embedded copies of vulnerable CryptoLib versions
  • Restrict network paths that can deliver SDLS-EP key management PDUs to authenticated, authorized peers only

Patch Information

The vulnerability is fixed in NASA CryptoLib version 1.4.2. The fix adds the missing bounds check in Crypto_Key_update() so that pdu_len-derived counts cannot exceed the size of kblk[98]. Refer to the NASA CryptoLib GHSA-w6c3-pxvr-6m6j advisory for upgrade guidance and patch references.

Workarounds

  • Apply network segmentation to limit which peers can submit SDLS-EP key management traffic to CryptoLib endpoints
  • Enforce strict authentication and authorization on all uplink command paths that reach the key management interface
  • Deploy upstream packet validation that rejects TLV packets whose declared length fields exceed protocol expectations
bash
# Verify installed CryptoLib version and rebuild against 1.4.2
git clone https://github.com/nasa/CryptoLib.git
cd CryptoLib
git checkout v1.4.2
mkdir build && cd build
cmake ..
make

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.