CVE-2024-53857

Name of the Vulnerable Software and Affected Versions: rPGP versions prior to 0.14.1

Description: The issue allows attackers to trigger resource exhaustion vulnerabilities in rPGP by providing crafted messages, affecting general message parsing and decryption with symmetric keys. This can cause out-of-memory conditions and crash the rPGP process or lead to system instability through memory resource exhaustion. The vulnerability also involves excessive memory allocation with values of up to 2TiB or long processing times for some decryption operations involving the Argon2 function. An attacker can provide a valid Symmetric Key Encrypted Session Key packet which uses Argon2 for String-to-Key hashing with parameters that are excessive, but within specification limits of the RFC9580 OpenPGP standard.

Recommendations: For versions prior to 0.14.1, upgrade to version 0.14.2 to fix the vulnerability. As a temporary workaround, consider restricting the use of symmetric keys and limiting the size of incoming messages to prevent excessive memory allocation. Avoid using the Argon2 function for String-to-Key hashing with excessive parameters until the issue is resolved.