Unrated severityNVD Advisory· Published Apr 13, 2011· Updated Apr 29, 2026

CVE-2011-0990

Description

Race condition in the FastCopy optimization in the Array.Copy method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to trigger a buffer overflow and modify internal data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file in which a thread makes a change after a type check but before a copy action.

Affected products

Mono/Mono
cpe:2.3:a:mono:mono:*:*:*:*:*:*:*:*
Novell/Moonlight6 versions
cpe:2.3:a:novell:moonlight:2.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:novell:moonlight:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:novell:moonlight:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:novell:moonlight:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:novell:moonlight:2.31:*:*:*:*:*:*:*
- cpe:2.3:a:novell:moonlight:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:novell:moonlight:3.99:*:*:*:*:*:*:*

Patches

2f00e4bbb213

Disable some of the FastCopy fast paths since they are racy.

https://github.com/mono/monoZoltan VargaJan 18, 2011via nvd-ref

commit

1 file changed · +12 −3

mono/metadata/icall.c+12 −3 modified

@@ -718,7 +718,6 @@ ves_icall_System_Array_FastCopy (MonoArray *source, int source_idx, MonoArray* d
 	void * source_addr;
 	MonoClass *src_class;
 	MonoClass *dest_class;
-	int i;
 
 	MONO_ARCH_SAVE_REGS;
 
@@ -742,6 +741,10 @@ ves_icall_System_Array_FastCopy (MonoArray *source, int source_idx, MonoArray* d
 
 	/* Case1: object[] -> valuetype[] (ArrayList::ToArray) */
 	if (src_class == mono_defaults.object_class && dest_class->valuetype) {
+		// FIXME: This is racy
+		return FALSE;
+		/*
+		  int i;
 		int has_refs = dest_class->has_references;
 		for (i = source_idx; i < source_idx + length; ++i) {
 			MonoObject *elem = mono_array_get (source, MonoObject*, i);
@@ -762,6 +765,7 @@ ves_icall_System_Array_FastCopy (MonoArray *source, int source_idx, MonoArray* d
 				memcpy (addr, (char *)elem + sizeof (MonoObject), element_size);
 		}
 		return TRUE;
+		*/
 	}
 
 	/* Check if we're copying a char[] <==> (u)short[] */
@@ -772,13 +776,18 @@ ves_icall_System_Array_FastCopy (MonoArray *source, int source_idx, MonoArray* d
 		if (mono_class_is_subclass_of (src_class, dest_class, FALSE))
 			;
 		/* Case2: object[] -> reftype[] (ArrayList::ToArray) */
-		else if (mono_class_is_subclass_of (dest_class, src_class, FALSE))
+		else if (mono_class_is_subclass_of (dest_class, src_class, FALSE)) {
+			// FIXME: This is racy
+			return FALSE;
+			/*
+			  int i;
 			for (i = source_idx; i < source_idx + length; ++i) {
 				MonoObject *elem = mono_array_get (source, MonoObject*, i);
 				if (elem && !mono_object_isinst (elem, dest_class))
 					return FALSE;
 			}
-		else
+			*/
+		} else
 			return FALSE;
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

openwall.com/lists/oss-security/2011/04/06/14nvdPatch
bugzilla.novell.com/show_bug.cginvdPatch
github.com/mono/mono/commit/2f00e4bbb2137130845afb1b2a1e678552fc8e5cnvdPatch
secunia.com/advisories/44002nvdVendor Advisory
secunia.com/advisories/44076nvdVendor Advisory
www.vupen.com/english/advisories/2011/0904nvdVendor Advisory
lists.opensuse.org/opensuse-updates/2011-04/msg00024.htmlnvd
www.mono-project.com/Vulnerabilitiesnvd
www.securityfocus.com/bid/47208nvd
exchange.xforce.ibmcloud.com/vulnerabilities/66625nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000