CVE-2026-1998

A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mpimportall of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.

References

Affected packages

Git / github.com/dpgeorge/micropython

Affected ranges

Type
Repo: https://github.com/dpgeorge/micropython
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

570744d06c5ba9dba59b4c3f432ca4f0abd396b6

Type

GIT

Repo

https://github.com/micropython/micropython

Events

Introduced

Last affected

78ff170de9e32c79db6e64d3e33d2bd60002bdcd

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.27.0"
        }
    ]
}

Affected versions

v1.*

v1.0

v1.0-rc1

v1.0.1

v1.1

v1.1.1

v1.10

v1.11

v1.12

v1.13

v1.14

v1.15

v1.16

v1.17

v1.18

v1.19

v1.19.1

v1.2

v1.20.0

v1.21.0

v1.22.0

v1.22.0-preview

v1.23.0

v1.23.0-preview

v1.24.0

v1.24.0-preview

v1.25.0

v1.25.0-preview

v1.26.0

v1.26.0-preview

v1.27.0

v1.27.0-preview

v1.3

v1.3.1

v1.3.10

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.5

v1.5.1

v1.5.2

v1.6

v1.7

v1.8

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.9

v1.9.1

v1.9.2

v1.9.3

v1.9.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1998.json"