CVE-2024-11991
Dec. 9, 2024, 3:15 p.m.
Tags
CVSS Score
Product(s) Impacted
Motoko
Description
Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.
Weaknesses
CWE-908
Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.
CWE ID: 908Date
Published: Dec. 9, 2024, 3:15 p.m.
Last Modified: Dec. 9, 2024, 3:15 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
6b35d637-e00f-4228-858c-b20ad6e1d07b
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
Base Score
Exploitability Score
Impact Score
Base Severity
MEDIUMCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L