Skip to main content
SecMate
Disclosures

NASA · CryptoLib

Out-of-Bounds Read in KMC Encrypt Metadata Parsing via Flawed strtok Pattern

8.2high
SecMateSECMATE-2025-0008
CVE
CVE-2026-21900NVD
VendorNASA
ProductCryptoLib
VectorCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
AdvisoryGHSA-4g6v-36fv-qcvw
Timeline
Reported
Nov 29, 2025
Fixed
Jan 6, 2026
Published
Jan 9, 2026
Summary

An out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings.

What's hidden in yours?

Find out