{"id":"CVE-2024-11991","details":"Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.","aliases":["GHSA-9rhg-3qf8-hrv3"],"modified":"2026-04-10T05:12:29.023556Z","published":"2024-12-09T15:15:12.203Z","references":[{"type":"ADVISORY","url":"https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3"},{"type":"FIX","url":"https://github.com/dfinity/motoko/pull/4677"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dfinity/motoko","events":[{"introduced":"fa8c9be2043b9719e818d65d0d718723f04850e9"},{"fixed":"7a7263229c6fa2deb385789b95093826df0fa572"}],"database_specific":{"versions":[{"introduced":"0.9.0"},{"fixed":"0.13.4"}]}}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.11.0","0.11.1","0.11.2","0.11.3","0.12.0","0.12.1","0.13.0","0.13.1","0.13.2","0.13.3","0.9.0","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11991.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}