cvedb.io
CVE-2024-7884
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2024-09-05T13:15:11.390 · Last modified 2026-06-17T08:21:06.737

Summary

When a canister method is called via ic_cdk::call* , a new Future CallFuture is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak. Impact Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In

Affected products

dfinity — canister_developer_kit_for_the_internet_computer

Does this affect you?

Add your gear to cvedb and we'll alert you only when dfinity ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.