CVE-2025-29910

CVE-2025-29910 is a memory leak vulnerability in the `crypto_handle_incrementing_nontransmitted_counter` function within the `crypto_tc.c` file of NASA's CryptoLib, affecting versions 1.3.3 and prior. CryptoLib implements a software-only solution based on the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between spacecraft running the core Flight System (cFS) and ground stations. The flaw occurs because the function allocates memory using `malloc` without always freeing it, leading to gradual resource exhaustion and degraded system performance, especially in long-running processes or those handling large volumes of data.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Any unauthenticated remote attacker who can trigger the affected function—such as by sending crafted telemetry commands or data streams to a system using CryptoLib—can cause continuous memory leaks, resulting in resource exhaustion, reduced performance, and potential denial-of-service (DoS) conditions. Systems processing high-throughput or continuous data streams, like those in space communications, are particularly at risk.

The primary advisory is published on the NASA CryptoLib GitHub security page (GHSA-p38w-p2r8-g6g5). As of the CVE publication on 2025-03-17, no patched versions of CryptoLib were available, and mitigations are not detailed in the provided information; practitioners should monitor the repository for updates and consider workarounds such as limiting exposure to untrusted inputs or restarting affected processes periodically.