CVE-2024-53856

Name of the Vulnerable Software and Affected Versions: rPGP versions prior to 0.14.1

Description: The issue allows an attacker to trigger crashes in rPGP by providing crafted data. This can occur in various scenarios, including parsing OpenPGP messages, decrypting messages via decrypt with password(), parsing or converting public keys, parsing signed cleartext messages, and using malformed private keys to sign or encrypt. The attack complexity is considered low, and the result is a denial-of-service impact via program termination, with no impact to confidentiality or integrity security properties.

Recommendations: For versions prior to 0.14.1, upgrade to version 0.14.1 to fix the issue. As a temporary workaround, consider restricting the use of vulnerable components, such as decrypt with password(), until the patch is applied. Avoid using malformed private keys to sign or encrypt until the issue is resolved.