{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5474", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-03T07:51:17.409Z", "datePublished": "2026-04-03T17:00:15.566Z", "dateUpdated": "2026-04-03T20:02:13.494Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T17:00:15.566Z"}, "title": "NASA cFS CCSDS Packet Header to_lab_passthru_encode.c CFE_MSG_GetSize heap-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-122", "lang": "en", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "NASA", "product": "cFS", "versions": [{"version": "7.0", "status": "affected"}], "cpes": ["cpe:2.3:a:nasa:cfs:*:*:*:*:*:*:*:*"], "modules": ["CCSDS Packet Header Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE_MSG_GetSize of the file apps/to_lab/fsw/src/to_lab_passthru_encode.c of the component CCSDS Packet Header Handler. Performing a manipulation results in heap-based buffer overflow. The attacker must have access to the local network to execute the attack. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-03T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-03T09:56:30.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0rbitingZer0 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355078", "name": "VDB-355078 | NASA cFS CCSDS Packet Header to_lab_passthru_encode.c CFE_MSG_GetSize heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355078/cti", "name": "VDB-355078 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781950", "name": "Submit #781950 | NASA cFS 7.0.0 Heap over-read via untrusted CCSDS length in TO_LAB sendto", "tags": ["third-party-advisory"]}, {"url": "https://github.com/nasa/cFS/issues/952", "tags": ["issue-tracking"]}, {"url": "https://github.com/nasa/cFS/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T20:02:03.374182Z", "id": "CVE-2026-5474", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:02:13.494Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5474", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T20:02:03.374182Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:02:09.314Z"}}], "cna": {"title": "NASA cFS CCSDS Packet Header to_lab_passthru_encode.c CFE_MSG_GetSize heap-based overflow", "credits": [{"lang": "en", "type": "reporter", "value": "0rbitingZer0 (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:nasa:cfs:*:*:*:*:*:*:*:*"], "vendor": "NASA", "modules": ["CCSDS Packet Header Handler"], "product": "cFS", "versions": [{"status": "affected", "version": "7.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-03T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-03T09:56:30.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355078", "name": "VDB-355078 | NASA cFS CCSDS Packet Header to_lab_passthru_encode.c CFE_MSG_GetSize heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355078/cti", "name": "VDB-355078 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781950", "name": "Submit #781950 | NASA cFS 7.0.0 Heap over-read via untrusted CCSDS length in TO_LAB sendto", "tags": ["third-party-advisory"]}, {"url": "https://github.com/nasa/cFS/issues/952", "tags": ["issue-tracking"]}, {"url": "https://github.com/nasa/cFS/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE_MSG_GetSize of the file apps/to_lab/fsw/src/to_lab_passthru_encode.c of the component CCSDS Packet Header Handler. Performing a manipulation results in heap-based buffer overflow. The attacker must have access to the local network to execute the attack. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-03T17:00:15.566Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5474", "state": "PUBLISHED", "dateUpdated": "2026-04-03T20:02:13.494Z", "dateReserved": "2026-04-03T07:51:17.409Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-03T17:00:15.566Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE_MSG_GetSize of the file apps/to_lab/fsw/src/to_lab_passthru_encode.c of the component CCSDS Packet Header Handler. Performing a manipulation results in heap-based buffer overflow. The attacker must have access to the local network to execute the attack. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5474", "lastModified": "2026-04-03T17:16:54.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-03T17:16:54.450", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/nasa/cFS/"}, {"source": "cna@vuldb.com", "url": "https://github.com/nasa/cFS/issues/952"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781950"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355078"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355078/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "cfs", "vendor": "nasa"}], "analysis": {"en": {"generated_at": "2026-04-03T20:36:02.787061+00:00", "value": {"mitigation_remediation": ["Verify current cFS version and download the latest release that resolves the heap overflow.", "Apply the vendor\u2019s patch or upgrade to the patched cFS version.", "Restrict local network communication to authorized ground\u2011control systems and apply network segmentation.", "Monitor flight logs for abnormal packet handling or crashes that could indicate exploitation attempts.", "If no patch is immediately available, review the CFE_MSG_GetSize code to add bounds checking or use safe libraries as a temporary mitigation until an official fix is released."], "summary": {"action": "Apply Patch", "impact": "Heap\u2011based buffer overflow leading to memory corruption and the risk of crash or arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Affected systems include NASA\u2019s cFS software up to and including version 7.0.0. The vulnerability manifests in the to_lab_passthru_encode component, which is part of the overall cFS application set used in many satellite flight software scenarios. Users running non\u2011patched versions of cFS in any environment that permits local network interaction are subject to this risk.", "description_and_impact": "The vulnerability resides in the CFE_MSG_GetSize function within the to_lab_passthru_encode.c source of the CCSDS Packet Header Handler component in NASA's Core Flight System. An attacker can craft malformed input over the local network to trigger a heap\u2011based buffer overflow. The overflow can corrupt adjacent memory, potentially causing a crash or allowing arbitrary code execution on the host. This weakness aligns with CWE\u2011119 and CWE\u2011122 and represents a classic memory corruption flaw.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity level, and the EPSS rating is not available, suggesting no publicly documented exploitation attempts yet. KEV listing is absent, so there is no confirmation of widespread exploitation. The required local network access limits the attack surface to internal or compromised nodes; however, once inside, the attacker could destabilize the flight software or potentially take control if the overflow is successfully leveraged. As such, the risk remains moderate but requires timely mitigation, especially for mission\u2011critical deployments."}}}}, "created": "2026-04-03T21:12:54.253189+00:00", "updated": "2026-04-03T21:15:05.598327+00:00", "vendors": ["nasa", "nasa$PRODUCT$cfs"]}