Uninitialized Memory Access Bug Affects Motoko's Incremental Garbage Collector, Could Allow Unauthorized Access to Canister's Memory
CVE-2024-11991

5.6MEDIUM

Key Information:

Vendor: Internet Computer
Status: Motoko
Vendor: CVE Published:; 9 December 2024

Summary

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

Affected Version(s)

Motoko 0.9.0 <= 0.13.3

References

https://github.com/dfinity/motoko/pull/4677

https://github.com/dfinity/motoko/security/advisories/GHS...

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 9, 2024
Vulnerability Reserved
Nov 29, 2024