>

CVE-2026-5476

medium

A vulnerability was identified in NASA cFS up to 7.0.0 on 32-bit. Affected is the function CFE_TBL_ValidateCodecLoadSize of the file cfe/modules/tbl/fsw/src/cfe_tbl_passthru_codec.c. The manipulation leads to integer overflow. The complexity of an attack is rather high. The exploitability is told to be difficult. A fix is planned for the upcoming version milestone of the project.

4.6
cvss medium
common vulnerability scoring system v3.1. measures intrinsic severity on a 0-10 scale.
epss 0.0002
exploitation prediction scoring system. probability this vulnerability will be exploited in the wild in the next 30 days.
kev no
cisa known exploited vulnerabilities catalog. confirmed active exploitation.
CVSS 3.1 Common Vulnerability Scoring System v3.1
4.6 / 10
MEDIUM
exploitability
Attack Vector
Adjacent
Attack Vector (AV:A): requires access to the local network segment (e.g. same WiFi, VLAN). not exploitable from the internet.
Attack Complexity
High
Attack Complexity (AC:H): exploitation requires specific conditions outside the attacker's control (race condition, non-default config, etc).
Privileges Required
Low
Privileges Required (PR:L): requires basic user-level access.
User Interaction
None
User Interaction (UI:N): no victim action needed. fully exploitable without user interaction.
impact
Scope
Unchanged
Scope (S:U): impact limited to the vulnerable component.
Confidentiality
Low
Confidentiality (C:L): limited data exposure. some restricted information can be read.
Integrity
Low
Integrity (I:L): limited data modification. some data can be altered.
Availability
Low
Availability (A:L): reduced performance or partial service interruption.
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS 4.0 Common Vulnerability Scoring System v4.0
2.1 / 10
LOW
exploitability
Attack Vector
Adjacent
Attack Vector (AV:A): requires access to the local network segment (e.g. same WiFi, VLAN). not exploitable from the internet.
Attack Complexity
High
Attack Complexity (AC:H): exploitation requires specific conditions outside the attacker's control (race condition, non-default config, etc).
Attack Requirements
None
Attack Requirements (AT:N): no special deployment or execution conditions needed.
Privileges Required
Low
Privileges Required (PR:L): requires basic user-level access.
User Interaction
None
User Interaction (UI:N): no victim action needed. fully exploitable without user interaction.
vulnerable system impact
Vuln Confidentiality
Low
Confidentiality (VC:L): limited data exposure. some restricted information can be read.
Vuln Integrity
Low
Integrity (VI:L): limited data modification. some data can be altered.
Vuln Availability
Low
Availability (VA:L): reduced performance or partial service interruption.
subsequent system impact
Sub Confidentiality
None
Subsequent Confidentiality: impact on data confidentiality of downstream/connected systems. Value: N (None)
Sub Integrity
None
Subsequent Integrity: impact on data integrity of downstream/connected systems. Value: N (None)
Sub Availability
None
Subsequent Availability: impact on service availability of downstream/connected systems. Value: N (None)
CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
exploit detect attrib advisory media timeline
exploitation detection attribution advisories media timeline
activity density
rdintel assessment
18 threat composite score from 15+ signals including exploitation status, epss probability, detection coverage, and community attention. 0-100 scale.

sign in to view full intelligence

pocs, detection rules, timeline, advisories, and more

sign in create account