CVE-2024-44910 – CVE-2024-44910 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2024-44910?

CVE-2024-44910 has a CVSS score of 7.5 (HIGH). CVE-2024-44910 is an out-of-bounds read vulnerability in NASA CryptoLib v1.3.0's AOS subsystem that could allow attackers to read sensitive memory contents or cause denial of service. This affects any systems or applications using the vulnerable CryptoLib version for cryptographic operations. The vulnerability is present in the default configuration of affected versions.

📋 TL;DR

CVE-2024-44910 is an out-of-bounds read vulnerability in NASA CryptoLib v1.3.0's AOS subsystem that could allow attackers to read sensitive memory contents or cause denial of service. This affects any systems or applications using the vulnerable CryptoLib version for cryptographic operations. The vulnerability is present in the default configuration of affected versions.

💻 Affected Systems

Products:

NASA CryptoLib

Versions: v1.3.0

Operating Systems: All platforms where CryptoLib is compiled and used

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the AOS subsystem functionality in crypto_aos.c. The vulnerability is in the library itself, not dependent on specific OS configurations.

📦 What is this software?

Cryptolib by Nasa

View all CVEs affecting Cryptolib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive cryptographic keys or memory contents leading to complete system compromise, or denial of service causing application/system crashes.

🟠

Likely Case

Application crashes or denial of service through memory corruption, potentially exposing limited memory contents.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and isolation, though crashes may still occur.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions and knowledge of the AOS subsystem usage, but internet-facing systems using CryptoLib are potentially vulnerable.

🏢 Internal Only: MEDIUM - Internal systems using CryptoLib for cryptographic operations could be affected, though exploitation requires specific conditions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of the AOS subsystem and ability to trigger specific conditions. The GitHub issue includes technical details that could aid exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub repository for latest version (likely v1.3.1 or later)

Vendor Advisory: https://github.com/nasa/CryptoLib/issues/268

Restart Required: Yes

Instructions:

1. Check current CryptoLib version. 2. Update to latest version from GitHub repository. 3. Recompile any applications using CryptoLib. 4. Restart affected services/applications.

🔧 Temporary Workarounds

Disable AOS subsystem

all

If AOS functionality is not required, disable or remove references to crypto_aos.c in your implementation

Modify source code to exclude AOS subsystem usage
Recompile without AOS support

🧯 If You Can't Patch

Implement strict input validation and bounds checking for all CryptoLib function calls
Isolate CryptoLib usage in sandboxed or containerized environments to limit potential impact

🔍 How to Verify

Check if Vulnerable:

Check if your application uses NASA CryptoLib v1.3.0 and calls functions from crypto_aos.c

Check Version:

Check build configuration or source code for CryptoLib version references

Verify Fix Applied:

Verify CryptoLib version is updated beyond v1.3.0 and test AOS functionality

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected termination of services using CryptoLib

Network Indicators:

Unusual patterns in cryptographic protocol failures

SIEM Query:

Search for process crashes related to cryptographic operations or memory access violations in applications using CryptoLib

📊 Metadata

CVE ID: CVE-2024-44910

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: September 27, 2024

Last Updated: March 19, 2025

🔗 References

https://github.com/nasa/CryptoLib/issues/268 Issue Tracking
https://visionspace.com/crashing-cryptolib/ Exploit,Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-44910, you might also want to check these: