CVE-2024-56375

Name of the Vulnerable Software and Affected Versions Fort versions 1.6.3 through 1.6.4

Description An integer underflow was discovered in Fort, allowing a malicious RPKI repository that descends from a trusted Trust Anchor to serve a Manifest RPKI object containing an empty fileList. This causes Fort to dereference and write to the array during a shuffle attempt, before the validation that would normally reject it when empty, resulting in an out-of-bounds access due to the integer underflow. The surrounding loop iterates infinitely, causing the product to become permanently stuck and nearly guaranteeing a crash.

Recommendations For Fort versions 1.6.3 and 1.6.4, update to version 1.6.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the RPKI repository to minimize the risk of exploitation.