CVE-2024-11991

Source
https://cve.org/CVERecord?id=CVE-2024-11991
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11991.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-11991
Aliases
  • GHSA-9rhg-3qf8-hrv3
Published
2024-12-09T14:38:07.288Z
Modified
2026-07-15T01:49:16.603638705Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Uninitialized memory access in Motoko incremental garbage collector
Details

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

Database specific
{
    "cwe_ids": [
        "CWE-908"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/11xxx/CVE-2024-11991.json",
    "cna_assigner": "Dfinity"
}
References

Affected packages

Git / github.com/caffeinelabs/motoko

Affected ranges

Type
GIT
Repo
https://github.com/caffeinelabs/motoko
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.9.0"
        },
        {
            "last_affected": "0.13.3"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.13.3
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11991.json"