Vulnerability Details CVE-2024-11991
Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.5%
CVSS Severity
CVSS v3 Score 5.6
References
Products affected by CVE-2024-11991
-
cpe:2.3:a:dfinity:motoko:0.10.0
-
cpe:2.3:a:dfinity:motoko:0.10.1
-
cpe:2.3:a:dfinity:motoko:0.10.2
-
cpe:2.3:a:dfinity:motoko:0.10.3
-
cpe:2.3:a:dfinity:motoko:0.10.4
-
cpe:2.3:a:dfinity:motoko:0.11.0
-
cpe:2.3:a:dfinity:motoko:0.11.1
-
cpe:2.3:a:dfinity:motoko:0.11.2
-
cpe:2.3:a:dfinity:motoko:0.11.3
-
cpe:2.3:a:dfinity:motoko:0.12.0
-
cpe:2.3:a:dfinity:motoko:0.12.1
-
cpe:2.3:a:dfinity:motoko:0.13.0
-
cpe:2.3:a:dfinity:motoko:0.13.1
-
cpe:2.3:a:dfinity:motoko:0.13.2
-
cpe:2.3:a:dfinity:motoko:0.13.3
-
cpe:2.3:a:dfinity:motoko:0.9.0
-
cpe:2.3:a:dfinity:motoko:0.9.1
-
cpe:2.3:a:dfinity:motoko:0.9.2
-
cpe:2.3:a:dfinity:motoko:0.9.3
-
cpe:2.3:a:dfinity:motoko:0.9.4
-
cpe:2.3:a:dfinity:motoko:0.9.5
-
cpe:2.3:a:dfinity:motoko:0.9.6
-
cpe:2.3:a:dfinity:motoko:0.9.7
-
cpe:2.3:a:dfinity:motoko:0.9.8