CVE-2024-7884: 
Rust vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2024-7884) was discovered in the Internet Computer's Canister Developer Kit (iccdk) for Rust. When a canister method is called via iccdk::call*, a new Future CallFuture is created, but a bug in the polling implementation allows multiple references to be held for the internal state, causing memory leaks when not all references are dropped before the Future is resolved (IC CDK Docs, NVD).

The vulnerability stems from the CallFutureState struct's internal state tracking mechanism. When the Future is resolved, not all references to the internal state are properly dropped, resulting in copies of the state being persisted in the canister's heap. This affects canisters built with iccdk and iccdk_timers that call canister methods, use timers, or heartbeat functionality. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability causes affected canisters to leak small amounts of memory during each operation involving canister method calls, timers, or heartbeat functions. In worst-case scenarios, this can lead to heap memory exhaustion, which could be triggered by an attacker. Notably, Motoko-based canisters are not affected by this vulnerability (NVD).

The vulnerability has been patched across multiple versions. The fix has been backported to all minor versions between 0.8.0 and 0.15.0. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, and 0.15.1. Previous versions have been yanked. There are no known workarounds, and developers are strongly recommended to upgrade their canister to the latest available patched version of iccdk. While upgrading canisters without updating iccdk can temporarily free leaked memory, this is only a temporary solution (NVD, CDK PR).