CVE-2026-1998

LOW

Micropython <1.27.0 - Memory Corruption

Title source: llm

Description

A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.

References (8)

[Patch] https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6

View Patch ZIP pw:eip

[Product] https://github.com/micropython/micropython/

[Exploit, Issue Tracking] https://github.com/micropython/micropython/issues/18639

[Exploit, Issue Tracking] https://github.com/micropython/micropython/issues/18639#issue-3780651410

[Exploit, Issue Tracking] https://github.com/micropython/micropython/pull/18671

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.344546

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.344546

[Exploit, Third Party Advisory, VDB Entry] https://vuldb.com/?submit.743396

Scores

CVSS v3 3.3

EPSS 0.0003

EPSS Percentile 7.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Classification

CWE

CWE-119 CWE-787

Status published

Affected Products (1)

micropython/micropython < 1.27.0

Timeline

Published Feb 06, 2026

Tracked Since Feb 18, 2026