{"id":"RUSTSEC-2024-0372","summary":"Memory leak when calling a canister method via `ic_cdk::call`","details":"When a canister method is called via `ic_cdk::call*`, a new Future `CallFuture` is created  and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called `CallFutureState`.  A bug in the polling implementation of the `CallFuture` allows multiple references to be held for this internal state and not all references were dropped before the `Future` is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak. \n\n### Impact\nCanisters built in Rust with `ic_cdk` and `ic_cdk_timers` are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. **In the worst case, this could lead to heap memory exhaustion triggered by an attacker.**\n\nMotoko based canisters are not affected by the bug.\n\n### Patches\nThe patch has been backported to all minor versions between `\u003e= 0.8.0, \u003c= 0.15.0`. The patched versions available are `0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1` and their previous versions have been yanked. \n\n### Workarounds\nThere are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of `ic_cdk` to avoid running out of Wasm heap memory. \n\n\u003e Upgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it's only a temporary solution.\n\n### Referencesas\n- [dfinity/cdk-rs/pull/509](https://github.com/dfinity/cdk-rs/pull/509)\n- [ic_cdk docs](https://docs.rs/ic-cdk/latest/ic_cdk/)\n- [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)","aliases":["CVE-2024-7884","GHSA-rwq6-crjg-9cpw"],"modified":"2024-09-07T18:23:36Z","published":"2024-09-05T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/ic-cdk"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0372.html"},{"type":"WEB","url":"https://github.com/dfinity/cdk-rs/pull/509"}],"affected":[{"package":{"name":"ic-cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic-cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.8.0"},{"fixed":"0.8.2"},{"introduced":"0.9.0-0"},{"fixed":"0.9.3"},{"introduced":"0.10.0-0"},{"fixed":"0.10.1"},{"introduced":"0.11.0-0"},{"fixed":"0.11.6"},{"introduced":"0.12.0-0"},{"fixed":"0.12.2"},{"introduced":"0.13.0-0"},{"fixed":"0.13.5"},{"introduced":"0.14.0-0"},{"fixed":"0.14.1"},{"introduced":"0.15.0-0"},{"fixed":"0.15.1"},{"introduced":"0.16.0-0"},{"fixed":"0.16.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"arch":[],"functions":[]}},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0372.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","categories":["denial-of-service"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}