CVE-2024-7884
📋 TL;DR
A memory leak vulnerability in Rust-based Internet Computer canisters using ic_cdk and ic_cdk_timers allows unaccounted references to persist in heap memory. This affects canisters that call methods, use timers, or heartbeat functions, potentially leading to heap exhaustion. Motoko-based canisters are not affected.
💻 Affected Systems
- ic_cdk
- ic_cdk_timers
📦 What is this software?
Canister Developer Kit For The Internet Computer by Dfinity
View all CVEs affecting Canister Developer Kit For The Internet Computer →
Canister Developer Kit For The Internet Computer by Dfinity
View all CVEs affecting Canister Developer Kit For The Internet Computer →
Canister Developer Kit For The Internet Computer by Dfinity
View all CVEs affecting Canister Developer Kit For The Internet Computer →
Canister Developer Kit For The Internet Computer by Dfinity
View all CVEs affecting Canister Developer Kit For The Internet Computer →
Canister Developer Kit For The Internet Computer by Dfinity
View all CVEs affecting Canister Developer Kit For The Internet Computer →
Canister Developer Kit For The Internet Computer by Dfinity
View all CVEs affecting Canister Developer Kit For The Internet Computer →
⚠️ Risk & Real-World Impact
Worst Case
An attacker could trigger repeated operations to exhaust heap memory, causing canister failure and denial of service.
Likely Case
Gradual memory accumulation over time leading to performance degradation and eventual canister instability.
If Mitigated
With patched versions, no memory leak occurs and canisters operate normally.
🎯 Exploit Status
Exploitation requires calling vulnerable canister methods, which may be accessible depending on canister design.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1
Vendor Advisory: https://github.com/dfinity/cdk-rs/pull/509
Restart Required: Yes
Instructions:
1. Update Cargo.toml to use patched ic_cdk version. 2. Rebuild and redeploy canister. 3. Verify memory usage stabilizes.
🔧 Temporary Workarounds
Canister Upgrade
allUpgrading canisters temporarily frees leaked memory but doesn't prevent future leaks
dfx canister install --mode upgrade <canister_name>
🧯 If You Can't Patch
- Monitor canister memory usage closely and upgrade canisters periodically to clear accumulated memory
- Limit external calls to vulnerable canisters and implement rate limiting where possible
🔍 How to Verify
Check if Vulnerable:
Check Cargo.toml for ic_cdk version between 0.8.0-0.15.0 (excluding patched versions)Check Version:
grep ic_cdk Cargo.tomlVerify Fix Applied:
Monitor canister memory usage after patch - should stabilize instead of continuously increasing📡 Detection & Monitoring
Log Indicators:
- Unusual memory growth patterns
- Canister out-of-memory errors
Network Indicators:
- Increased call frequency to vulnerable canister methods
SIEM Query:
memory_usage > threshold AND canister_type = 'rust' AND ic_cdk_version in vulnerable_range