CVE-2024-11991
CVSS V2 None
CVSS V3 None
Description
Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.
Overview
- CVE ID
- CVE-2024-11991
- Assigner
- Dfinity
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-12-09T14:38:07.288Z
- Last Modified Date
- 2024-12-09T15:07:37.640Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/dfinity/motoko/pull/4677 | |
| https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3 |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-11991 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11991 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-12-10 13:50:55 | Added to TrackCVE |