Executive Summary

CVE-2026-1998 is a memory corruption vulnerability in MicroPython versions up to 1.27.0, specifically in the function mp_import_all located in py/runtime.c. The vulnerability occurs when the import-all operation (from x import *) is performed on a malformed or non-module object, causing the function to improperly handle memory buffers. This leads to corrupted map pointers and a segmentation fault in the mp_map_lookup function, which attempts to dereference invalid memory addresses. The root cause is that mp_import_all assumed its argument was always a native module, but non-module objects can be passed in, causing crashes.

The vulnerability requires local access to exploit and can be triggered by overriding the built-in __import__ function to return a custom object with attributes, then performing a from a import * operation. This causes the MicroPython runtime to crash due to invalid memory access.

A patch has been released that fixes the issue by making mp_import_all handle non-module objects correctly, using their __dict__ or __all__ attributes to safely perform the import-all operation without causing memory corruption.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited locally to cause a Denial of Service (DoS) by crashing the MicroPython runtime. An attacker can trigger a segmentation fault by performing a crafted import operation on a malformed or non-module object, leading to process termination or device reset.

The impact is primarily on availability, as the memory corruption causes the interpreter to crash, potentially disrupting the operation of embedded systems or devices running MicroPython.

Since the exploit requires local access, remote exploitation is not possible, but local users or processes with limited privileges can still trigger the crash.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability is a local memory corruption issue in MicroPython's import mechanism, specifically triggered by executing a `from ... import *` operation on a malformed or non-module object. Detection involves reproducing the crash condition locally by running a proof-of-concept script that overrides the built-in `__import__` function to return a custom object with attributes, then performing `from a import *` to trigger the segmentation fault."}, {'type': 'paragraph', 'content': 'A suggested detection method is to run a Python script similar to the proof-of-concept that triggers the crash, for example:'}, {'type': 'list_item', 'content': 'Override the `__import__` function to return a custom object.'}, {'type': 'list_item', 'content': 'Execute `from a import *` in MicroPython environment.'}, {'type': 'paragraph', 'content': 'If the MicroPython runtime crashes or segfaults during this operation, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'No specific network detection commands are applicable since the attack requires local access and is triggered by local code execution.'}] [3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the official patch released for this vulnerability. The patch modifies the `mp_import_all()` function to safely handle non-module objects during `from x import *` operations, preventing memory corruption and segmentation faults.

Specifically, update your MicroPython installation to include the fix identified by commit `570744d06c5ba9dba59b4c3f432ca4f0abd396b6`.

If immediate patching is not possible, avoid running untrusted or malformed import statements that use `from ... import *` on objects that might not be native modules.

Since the vulnerability requires local access, restrict local user permissions and access to the MicroPython environment to trusted users only.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0