CVE-2024-11991 - Vulnerability Details - OpenCVE

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/dfinity/motoko/pull/4677
https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3

History

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00038}`	epss `{'score': 0.00042}`

Mon, 09 Dec 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
Description		Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.
Title		Uninitialized memory access in Motoko incremental garbage collector
Weaknesses		CWE-908
References		https://github.com/dfinity/motoko/pull/4677 https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3
Metrics		cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Dfinity

Published: 2024-12-09T14:38:07.288Z

Updated: 2024-12-09T15:07:37.640Z

Reserved: 2024-11-29T10:02:19.279Z

Link: CVE-2024-11991

Vulnrichment

Updated: 2024-12-09T15:07:34.136Z

NVD

Status : Received

Published: 2024-12-09T15:15:12.203

Modified: 2024-12-09T15:15:12.203

Link: CVE-2024-11991

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11991", "assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b", "state": "PUBLISHED", "assignerShortName": "Dfinity", "dateReserved": "2024-11-29T10:02:19.279Z", "datePublished": "2024-12-09T14:38:07.288Z", "dateUpdated": "2024-12-09T15:07:37.640Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "moc", "product": "Motoko", "vendor": "Internet Computer", "versions": [{"lessThanOrEqual": "0.13.3", "status": "affected", "version": "0.9.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p>Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.</p><p></p>"}], "value": "Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko."}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-908", "description": "CWE-908 Use of Uninitialized Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b", "shortName": "Dfinity", "dateUpdated": "2024-12-09T14:38:07.288Z"}, "references": [{"url": "https://github.com/dfinity/motoko/pull/4677"}, {"url": "https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3"}], "source": {"discovery": "UNKNOWN"}, "title": "Uninitialized memory access in Motoko incremental garbage collector", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Disable incremental garbage collector and enhanced orthogonal persistence. i.e. do <strong>not compile</strong> with <i>\u2014incremental-gc</i> or <i>--enhanced-orthogonal-persistence</i> options.</p>"}], "value": "Disable incremental garbage collector and enhanced orthogonal persistence. i.e. do not compile\u00a0with\u00a0\u2014incremental-gc or --enhanced-orthogonal-persistence options."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-09T15:07:27.354775Z", "id": "CVE-2024-11991", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-09T15:07:37.640Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-09T15:07:27.354775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-09T15:07:34.136Z"}}], "cna": {"title": "Uninitialized memory access in Motoko incremental garbage collector", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Internet Computer", "product": "Motoko", "versions": [{"status": "affected", "version": "0.9.0", "versionType": "semver", "lessThanOrEqual": "0.13.3"}], "packageName": "moc", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/dfinity/motoko/pull/4677"}, {"url": "https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3"}], "workarounds": [{"lang": "en", "value": "Disable incremental garbage collector and enhanced orthogonal persistence. i.e. do not compile\u00a0with\u00a0\u2014incremental-gc or --enhanced-orthogonal-persistence options.", "supportingMedia": [{"type": "text/html", "value": "<p>Disable incremental garbage collector and enhanced orthogonal persistence. i.e. do <strong>not compile</strong> with <i>\u2014incremental-gc</i> or <i>--enhanced-orthogonal-persistence</i> options.</p>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.", "supportingMedia": [{"type": "text/html", "value": "<p></p><p>Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.</p><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-908", "description": "CWE-908 Use of Uninitialized Resource"}]}], "providerMetadata": {"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b", "shortName": "Dfinity", "dateUpdated": "2024-12-09T14:38:07.288Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11991", "state": "PUBLISHED", "dateUpdated": "2024-12-09T15:07:37.640Z", "dateReserved": "2024-11-29T10:02:19.279Z", "assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b", "datePublished": "2024-12-09T14:38:07.288Z", "assignerShortName": "Dfinity"}, "dataVersion": "5.1"}