CVE-2024-11991: Uninitialized memory access in Motoko incremental garbage collector

5.6 CVSS

Description

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

Classification

CVE ID: CVE-2024-11991

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.6

Affected Products

Vendor: Internet Computer

Product: Motoko

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/dfinity/motoko/pull/4677
https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3

Timeline

2024-12-10 00:31:08 UTC
CVE

Uninitialized memory access in Motoko incremental garbage collector