CVE-2024-11991

Dec. 9, 2024, 3:15 p.m.

5.6
Medium

Description

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

Product(s) Impacted

Product Versions
Motoko

Weaknesses

CWE-908
Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.

References

https://github.com/dfinity/motoko/pull/4677
https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3

Tags

6b35d637-e00f-4228-858c-b20ad6e1d07b
CWE-908
2024-12-09
CVE-2024-11991

CVSS Score

5.6 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: LOW
    • View Vector String

    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Date

  • Published: Dec. 9, 2024, 3:15 p.m.
  • Last Modified: Dec. 9, 2024, 3:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

6b35d637-e00f-4228-858c-b20ad6e1d07b

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.