vulnerability

Debian: CVE-2024-45238: fort-validator -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Aug 24, 2024	Feb 25, 2025	Mar 30, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Aug 24, 2024

Added

Feb 25, 2025

Modified

Mar 30, 2026

Description

An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.

Solution

debian-upgrade-fort-validator

References

CVE-2024-45238
https://attackerkb.com/topics/CVE-2024-45238
CWE-476
DEBIAN-DLA-4066-1
EUVD-EUVD-2024-41379
https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-41379

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report