We encountered a bug in the Motoko runtime system that, under specific circumstances, could lead to unwanted memory writes or reads. Programs are only affected if they use the incremental garbage collector (compile option —incremental-gc
) or enhanced orthogonal persistence (compile-option --enhanced-orthogonal-persistence
). The bug is hard to trigger, as it depends on heap constellations, GC scheduling, and the use of specific language features at a large or frequent scale.
The bug is fixed in the recent Motoko release 0.14.3 deployed in dfx
version 0.24.3. If you are using the incremental garbage collector or enhanced orthogonal persistence, we strongly recommend you to upgrade your Motoko program with the latest dfx.
Instructions:
- Download or upgrade to latest dfx 0.24.3 or higher:
dfxvm update
- For all your Motoko applications on IC:
dfx deploy —network ic
We also have a GitHub security advisory for this: GH advisory: Uninitialized memory access in Motoko incremental garbage collector · Advisory · dfinity/motoko · GitHub
If you have any questions, please do not hesitate to contact us via team-motoko@dfinity.org
Many thanks
Luc