CVE-2024-11991

Summary

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

Affected Software

VendorProductVersion RangeStatus
Internet ComputerMotoko0.9.0 <= 0.13.3affected

Weaknesses

  • CWE-908: CWE-908 Use of Uninitialized Resource

Workarounds

Disable incremental garbage collector and enhanced orthogonal persistence. i.e. do not compile with —incremental-gc or –enhanced-orthogonal-persistence options.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References