CVE-2026-1998

Name
CVE-2026-1998
Description
A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
cna@vuldb.com https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6
cna@vuldb.com https://github.com/micropython/micropython/
cna@vuldb.com https://github.com/micropython/micropython/issues/18639
cna@vuldb.com https://github.com/micropython/micropython/issues/18639#issue-3780651410
cna@vuldb.com https://github.com/micropython/micropython/pull/18671
cna@vuldb.com https://vuldb.com/?ctiid.344546
cna@vuldb.com https://vuldb.com/?id.344546
cna@vuldb.com https://vuldb.com/?submit.743396

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:micropython:micropython:*:*:*:*:*:*:*:* micropython >= None <= 1.27.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
micropython edge-community 1.27.0-r0 Marian Buschsieweke <marian.buschsieweke@posteo.net> possibly vulnerable
micropython edge-community 1.26.1-r0 Marian Buschsieweke <marian.buschsieweke@posteo.net> possibly vulnerable
micropython edge-community 1.24.1-r0 Marian <marian.buschsieweke@posteo.net> possibly vulnerable
micropython 3.23-community 1.26.1-r0 Marian Buschsieweke <marian.buschsieweke@posteo.net> possibly vulnerable