CVE-2024-11991

MEDIUM

Motoko 0.9.0-0.13.3 - Uninitialized Memory Access in Incremental Garbage Collector

Title source: llm

Description

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

References (2)

Core 2

Core References

Issue Tracking, Patch

https://github.com/dfinity/motoko/pull/4677

Vendor Advisory

https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3

Scores

CVSS v3 5.6

EPSS 0.0023

EPSS Percentile 13.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-908

Status published

Products (1)

dfinity/motoko 0.9.0 - 0.13.4

Published Dec 09, 2024

Tracked Since Feb 18, 2026