CVE-2024-11991 Information

Description

Motoko’s incremental garbage collector is impacted by an uninitialized memory access bug caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister’s memory. However exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence which are non-default features in Motoko.

Reference

https://github.com/dfinity/motoko/pull/4677 https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3