CVE-2024-11991

MEDIUM

Motoko - Memory Corruption

Title source: llm

Description

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

References (2)

[Issue Tracking, Patch] https://github.com/dfinity/motoko/pull/4677

[Vendor Advisory] https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3

Scores

CVSS v3 5.6

EPSS 0.0024

EPSS Percentile 46.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-908

Status published

Products (1)

dfinity/motoko 0.9.0 - 0.13.4

Published Dec 09, 2024

Tracked Since Feb 18, 2026