CVE-2024-53856: 
Rust vulnerability analysis and mitigation

rPGP, a pure Rust implementation of OpenPGP, was found to contain a vulnerability (CVE-2024-53856) that allows attackers to trigger crashes by providing crafted data. The vulnerability was discovered during a security audit by Radically Open Security and was disclosed on December 5, 2024. The issue affects all versions prior to 0.14.1 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is related to multiple weaknesses including improper handling of length parameter inconsistency (CWE-130), improper neutralization of input leaders (CWE-148), and reachable assertion (CWE-617). The vulnerability allows attackers to trigger Rust panics which halt the program through various attack vectors including parsing OpenPGP messages, decrypting messages, parsing public keys, and processing signed cleartext messages (GitHub Advisory).

The vulnerability results in a denial-of-service impact via program termination when processing malformed input. The attack complexity is considered low as the malformed messages are generic, short, and require no victim-specific knowledge. There is no impact to confidentiality or integrity security properties (GitHub Advisory).

The vulnerabilities have been fixed in version 0.14.1. Users are strongly recommended to upgrade to this version as it contains the necessary patches to address the security issues. No alternative workarounds are available (GitHub Advisory).