NASA Core Flight System Health & Safety Application Denial-of-Service Vulnerability
A high-severity denial-of-service vulnerability, CVE-2026-15352, affects NASA Core Flight System (cFS) Health & Safety (HS) Application versions prior to v7.0.1, allowing an unauthenticated attacker to crash the application via a crafted Housekeeping Telemetry request, leading to service disruption in critical infrastructure sectors like Transportation Systems.
A significant vulnerability, identified as CVE-2026-15352, has been discovered in NASA's Core Flight System (cFS) Health & Safety (HS) Application. This flaw, present in versions prior to v7.0.1, is a NULL Pointer Dereference (CWE-476) that can be triggered when the application processes a routine Housekeeping Telemetry request. Successful exploitation by an unauthenticated attacker results in a segmentation fault, causing the application to crash and leading to a denial-of-service condition. This vulnerability is particularly critical as the cFS HS Application is deployed worldwide and is integral to Transportation Systems, making affected systems susceptible to significant operational disruption. There is no public information about active exploitation of this vulnerability.
Attack Chain
- An unauthenticated attacker sends a specially crafted Housekeeping Telemetry request to a vulnerable NASA Core Flight System (cFS) Health & Safety (HS) Application instance (versions prior to v7.0.1).
- The application receives and attempts to process the malformed telemetry request.
- During this processing, a NULL Pointer Dereference occurs within the application's code, leading to CVE-2026-15352.
- The NULL Pointer Dereference triggers a segmentation fault within the application's process.
- The segmentation fault causes the cFS Health & Safety Application to crash unexpectedly.
- The application's crash results in a denial-of-service condition, rendering the affected instance inoperable.
Impact
Successful exploitation of CVE-2026-15352 leads directly to a denial-of-service condition, causing the NASA Core Flight System (cFS) Health & Safety (HS) Application to crash. This can result in the loss of critical health monitoring and safety functions for affected systems. Given its deployment in critical infrastructure sectors, particularly Transportation Systems worldwide, such disruptions could have severe operational consequences, compromising the reliability and safety of space and aeronautical missions or related ground control systems. The direct impact is service unavailability, which could cascade into broader system failures depending on the specific integration and operational context.
Recommendation
- Patch CVE-2026-15352 immediately by updating all instances of the NASA Core Flight System (cFS) Health & Safety (HS) Application to v7.0.1 or later using the official release from
https://github.com/nasa/HS/releases/tag/v7.0.1. - Implement strict network segmentation and firewall rules to minimize network exposure for all control system devices and systems, ensuring that
NASA Core Flight System (cFS) Health & Safety (HS) Applicationinstances are not directly accessible from the internet. - When remote access to
NASA Core Flight System (cFS) Health & Safety (HS) Applicationis required, use secure methods such as Virtual Private Networks (VPNs) and ensure VPNs are updated to the most current version available.