VYPR
advisoryPublished Jul 16, 2026· 1 source

NASA Core Flight System Vulnerable to Denial-of-Service Attack

A NULL Pointer Dereference vulnerability in NASA's Core Flight System Health & Safety application could allow attackers to crash the system, impacting critical space missions.

NASA's Core Flight System (cFS) Health & Safety (HS) application, a critical component in managing spacecraft operations, has been found to contain a significant vulnerability that could lead to denial-of-service conditions. The flaw, identified as CVE-2026-15352, resides in versions prior to v7.0.1 of the HS application.

The vulnerability stems from a NULL Pointer Dereference issue. When the application processes a routine Housekeeping Telemetry request, it can trigger a segmentation fault. This unexpected crash can lead to a complete denial-of-service, potentially disrupting the normal functioning of a spacecraft.

This vulnerability is particularly concerning given the critical nature of space missions. The HS application is responsible for monitoring and managing the health and safety parameters of a spacecraft. A successful exploitation could render a mission inoperable, leading to significant financial losses and potential risks to astronauts if applicable.

The Common Vulnerability Scoring System (CVSS) v3.1 assigns a base score of 7.5, categorizing it as HIGH severity. The CVSS v4.0 score is also rated HIGH at 8.2. These scores reflect the potential for a remote attacker to exploit this vulnerability without requiring any user interaction or elevated privileges, making it a significant threat.

NASA has acknowledged the vulnerability and recommends that users update to version v7.0.1 of the Health & Safety application to remediate the issue. This update is available on the official NASA HS GitHub repository. The agency also advises implementing standard cybersecurity best practices for industrial control systems, including minimizing network exposure, isolating control system networks, and utilizing secure remote access methods like VPNs.

While no public exploitation of this specific vulnerability has been reported to CISA at this time, the potential impact on critical space infrastructure warrants immediate attention. The widespread use of NASA's cFS across various space agencies and projects means that the attack surface could be substantial.

This incident underscores the ongoing challenges in securing complex software systems, especially those operating in highly specialized and critical environments like space exploration. The vulnerability highlights the need for continuous security auditing and prompt patching of software used in these sensitive domains.

Synthesized by Vypr AI