Bug in ic_cdk Leads to Memory Leak in Rust Canisters
CVE-2024-7884

7.5HIGH

Key Information:

Vendor: Internet Computer
Status: Ic-cdk
Vendor: CVE Published:; 5 September 2024

Summary

This vulnerability arises when a canister method utilizing ic_cdk::call* triggers the creation of a CallFuture, which allows the execution result to be awaited by the caller. The internal Future state, tracked by CallFutureState, can inadvertently retain multiple references due to flaws in the polling implementation. As a result, unaccounted references remain, leading to the internal state being stored inadvertently in the canister's heap, thereby causing a memory leak. Rust canisters using ic_cdk and ic_cdk_timers that initiate canister method calls, utilize timers, or heartbeat functionality are susceptible to minor memory leakage with every operation, potentially resulting in heap memory exhaustion. It's crucial to upgrade to the patched versions 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, and 0.15.1 to mitigate this issue effectively, as there are currently no known workarounds.

Affected Version(s)

ic-cdk 0.8.0 < 0.8.2

ic-cdk 0.9.0 < 0.9.3

ic-cdk 0.10.0 < 0.10.1

References

https://github.com/dfinity/cdk-rs/pull/509

https://docs.rs/ic-cdk/latest/ic_cdk/

https://internetcomputer.org/docs/current/references/ic-i...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 5, 2024
Vulnerability Reserved
Aug 16, 2024