CVE-2026-1998
Memory Corruption in MicroPython mp_import_all Function
Publication date: 2026-02-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| micropython | micropython | to 1.27.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-1998 is a memory corruption vulnerability in MicroPython versions up to 1.27.0, specifically in the function mp_import_all located in py/runtime.c. The vulnerability occurs when the import-all operation (from x import *) is performed on a malformed or non-module object, causing the function to improperly handle memory buffers. This leads to corrupted map pointers and a segmentation fault in the mp_map_lookup function, which attempts to dereference invalid memory addresses. The root cause is that mp_import_all assumed its argument was always a native module, but non-module objects can be passed in, causing crashes.
The vulnerability requires local access to exploit and can be triggered by overriding the built-in __import__ function to return a custom object with attributes, then performing a from a import * operation. This causes the MicroPython runtime to crash due to invalid memory access.
A patch has been released that fixes the issue by making mp_import_all handle non-module objects correctly, using their __dict__ or __all__ attributes to safely perform the import-all operation without causing memory corruption.
How can this vulnerability impact me? :
This vulnerability can be exploited locally to cause a Denial of Service (DoS) by crashing the MicroPython runtime. An attacker can trigger a segmentation fault by performing a crafted import operation on a malformed or non-module object, leading to process termination or device reset.
The impact is primarily on availability, as the memory corruption causes the interpreter to crash, potentially disrupting the operation of embedded systems or devices running MicroPython.
Since the exploit requires local access, remote exploitation is not possible, but local users or processes with limited privileges can still trigger the crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability is a local memory corruption issue in MicroPython's import mechanism, specifically triggered by executing a `from ... import *` operation on a malformed or non-module object. Detection involves reproducing the crash condition locally by running a proof-of-concept script that overrides the built-in `__import__` function to return a custom object with attributes, then performing `from a import *` to trigger the segmentation fault."}, {'type': 'paragraph', 'content': 'A suggested detection method is to run a Python script similar to the proof-of-concept that triggers the crash, for example:'}, {'type': 'list_item', 'content': 'Override the `__import__` function to return a custom object.'}, {'type': 'list_item', 'content': 'Execute `from a import *` in MicroPython environment.'}, {'type': 'paragraph', 'content': 'If the MicroPython runtime crashes or segfaults during this operation, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'No specific network detection commands are applicable since the attack requires local access and is triggered by local code execution.'}] [3, 4]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch released for this vulnerability. The patch modifies the `mp_import_all()` function to safely handle non-module objects during `from x import *` operations, preventing memory corruption and segmentation faults.
Specifically, update your MicroPython installation to include the fix identified by commit `570744d06c5ba9dba59b4c3f432ca4f0abd396b6`.
If immediate patching is not possible, avoid running untrusted or malformed import statements that use `from ... import *` on objects that might not be native modules.
Since the vulnerability requires local access, restrict local user permissions and access to the MicroPython environment to trusted users only.