CVE-2026-41144 nasa CVE debrief

Who should care

Teams deploying or integrating NASA F Prime, especially embedded/spaceflight software maintainers using FileUplink or related file-transfer paths. Security and platform teams should also care if F Prime is used in systems where a write to the wrong file could affect boot, configuration, or code-loading behavior.

Technical summary

The issue is a logic flaw, not a memory-corruption primitive. In the affected FileUplink flow, the check byteOffset + dataSize > fileSize uses 32-bit unsigned arithmetic; with attacker-controlled values, the addition can wrap to a small number and bypass the guard. The code then proceeds with a file write at the original large offset, and the destination path is not sanitized, so the write target is not constrained. The vendor material indicates the fix is present in 4.2.0.

Defensive priority

High

Recommended defensive actions

• Upgrade NASA F Prime to version 4.2.0 or later.
• Review any use of Svc/FileUplink for untrusted or remotely influenced upload data.
• Validate that deployed systems are not relying on vulnerable 4.1.1 or earlier builds.
• Restrict file destinations and add explicit path allowlisting or normalization checks where applicable.
• Treat this as a code-integrity risk on embedded targets and verify downstream boot/configuration impacts.
• Use the vendor advisory and patch commit to confirm the exact remediation in your build pipeline.

Evidence notes

Official sources include the CVE record, NVD detail page, and GitHub security advisory/patch references. The supplied advisory text states the bug is present prior to 4.2.0, involves U32 overflow in a bounds check, and lacks destination-path sanitization in Svc/FileUplink/File.cpp. The source bundle also notes that ASAN does not catch the issue because the corruption occurs through file I/O. NVD metadata lists CPE evidence for nasa:fprime:4.1.1 as vulnerable and references the GitHub patch commit and vendor advisory.

Official resources