CVE-2024-7884

Name of the Vulnerable Software and Affected Versions ic cdk versions 0.8.0 through 0.15.0

Description A bug in the polling implementation of the CallFuture allows multiple references to be held for the internal state and not all references were dropped before the Future is resolved, causing a memory leak. Canisters built in Rust with ic cdk and ic cdk timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker. Motoko based canisters are not affected by the bug.

Recommendations To resolve the issue, upgrade to the latest available patched version of ic cdk, such as 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, or 0.15.1. Upgrading the canisters without updating ic cdk also frees the leaked memory but is only a temporary solution.