PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22208 OpenS100 Project CVE debrief

OpenS100, the reference implementation S-100 viewer, contains a critical remote code execution vulnerability in its Portrayal Engine prior to commit 753cf29. The engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries including 'os' and 'io' to untrusted portrayal catalogues. An attacker can craft a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary system commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart. This vulnerability was published on 2026-02-17 and last modified on 2026-05-26. The issue is classified as CWE-749 (Exposed Dangerous Method or Function) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

Vendor
OpenS100 Project
Product
OpenS100
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-17
Original CVE updated
2026-05-26
Advisory published
2026-02-17
Advisory updated
2026-05-26

Who should care

Maritime navigation system operators, hydrographic office IT staff, vessel ECDIS administrators, S-100 data providers, and organizations using OpenS100 for S-100 chart visualization should prioritize this vulnerability. The S-100 standard is the successor to S-57 for digital hydrographic data and is increasingly adopted in modern Electronic Chart Display and Information Systems (ECDIS). Organizations in shipping, port authorities, coastal surveillance, and maritime safety agencies are at risk. Security teams in critical infrastructure sectors should assess exposure, particularly where OpenS100 is used to process portrayal catalogues from external or unverified sources.

Technical summary

The OpenS100 Portrayal Engine uses luaL_openlibs() to initialize the Lua interpreter without implementing any sandboxing or capability restrictions. This exposes the full Lua standard library including dangerous modules such as 'os' (operating system interface) and 'io' (file I/O) to scripts embedded in S-100 portrayal catalogues. Since these catalogues can be provided by external sources and are processed automatically during chart loading, an attacker can embed malicious Lua code that executes arbitrary system commands. The vulnerability requires user interaction to import a malicious catalogue, but once imported, code execution occurs automatically when charts using that portrayal are loaded. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and high impact across confidentiality, integrity, and availability dimensions.

Defensive priority

CRITICAL

Recommended defensive actions

  • Upgrade OpenS100 to commit 753cf29 or later to obtain the security fix
  • Implement network segmentation to limit exposure of S-100 viewer systems
  • Restrict import of untrusted S-100 portrayal catalogues to trusted sources only
  • Monitor for suspicious Lua script execution in OpenS100 process context
  • Apply principle of least privilege to OpenS100 process execution
  • Review and validate all S-100 portrayal catalogues before import
  • Consider application whitelisting or sandboxing for OpenS100 execution environment

Evidence notes

The vulnerability description is sourced from official CVE records and VulnCheck advisory. The fix commit and academic reference are documented in NVD reference data. Vendor identification remains uncertain with low confidence based on reference domain analysis.

Official resources

The vulnerability was disclosed via VulnCheck and documented in academic literature. The fix is available in commit 753cf294434e8d3961f20a567c4d99151e3b530d.