CVE-2024-56375
HIGHnicmx fort_validator 1.6.3-1.6.4 - Integer Underflow via Empty Manifest FileList
Title source: llmDescription
An integer underflow was discovered in Fort 1.6.3 and 1.6.4 before 1.6.5. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a Manifest RPKI object containing an empty fileList. Fort dereferences (and, shortly afterwards, writes to) this array during a shuffle attempt, before the validation that would normally reject it when empty. This out-of-bounds access is caused by an integer underflow that causes the surrounding loop to iterate infinitely. Because the product is permanently stuck attempting to overshuffle an array that doesn't actually exist, a crash is nearly guaranteed.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory
https://github.com/NICMx/FORT-validator/issues/154
Vendor Advisory
https://nicmx.github.io/FORT-validator/CVE.html
Scores
CVSS v3
7.5
EPSS
0.0043
EPSS Percentile
34.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-191
Status
published
Products (2)
nicmx/fort_validator
1.6.3
nicmx/fort_validator
1.6.4
Published
Dec 22, 2024
Tracked Since
Feb 18, 2026