CVE-2024-11991 — MEDIUM (5.6)

Q: How severe is CVE-2024-11991?

CVE-2024-11991 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-11991?

Check the references section above for vendor advisories and patch information. Affected products include: Dfinity Motoko.

Vulnerability Description

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

CVSS Score

5.6

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Dfinity	Motoko	>= 0.9.0, < 0.13.4

Related Weaknesses (CWE)

CWE-908

References

https://github.com/dfinity/motoko/pull/4677Issue TrackingPatch
https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3Vendor Advisory

FAQ

What is CVE-2024-11991?

CVE-2024-11991 is a vulnerability with a CVSS score of 5.6 (MEDIUM). Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unaut...

How severe is CVE-2024-11991?

CVE-2024-11991 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-11991?

Check the references section above for vendor advisories and patch information. Affected products include: Dfinity Motoko.