Description

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

INFO

Published Date :

2024-12-09T14:38:07.288Z

Last Modified :

2024-12-09T15:07:37.640Z

Source :

Dfinity
AFFECTED PRODUCTS

The following products are affected by CVE-2024-11991 vulnerability.

Vendors Products
Dfinity
  • Motoko
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-11991.

URL Resource
https://github.com/dfinity/motoko/pull/4677 cve-icon cve-icon
https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact