Description
A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.
Published: 2026-02-06
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

A flaw was identified in MicroPython versions up to 1.27.0 that targets the mp_import_all function within py/runtime.c. Manipulating this function can corrupt memory in the interpreter. The impact of this memory corruption could lead to a crash of the interpreter or, at a minimum, an unauthorized manipulation of internal state. The CVE description does not explicitly confirm arbitrary code execution, but the nature of the flaw and the fact that an exploit has been published indicate a significant risk if an attacker can trigger it.

Affected Systems

MicroPython, a lightweight Python interpreter for embedded devices, is affected for all releases up to and including 1.27.0. The vulnerability is catalogued in the CPE database under cpe:2.3:a:micropython:micropython:*:*:*:*:*:*:* and is relevant to any deployment that runs the mp_import_all routine locally.

Risk and Exploitability

The CVSS score of 4.8 classifies this as a moderate severity issue. The EPSS score is reported as <1%, indicating a low probability of exploitation in the wild; however, the vulnerability is not listed in the CISA KEV catalog. The attack vector requires local access, meaning an adversary must execute code or input data directly on the device hosting the MicroPython interpreter. Exploit code is publicly available on GitHub, and the corresponding patch has been committed, but the lack of a high EPSS suggests that widespread exploitation has not yet occurred. Nonetheless, the possibility of a local attacker using the flaw to corrupt memory—potentially leading to a denial of service or upstream impact on co-located processes—warrants prompt remedial action.

Generated by OpenCVE AI on April 18, 2026 at 13:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MicroPython to a patched version or apply the official patch commit 570744d06c5ba9dba59b4c3f432ca4f0abd396b6, ensuring that the mp_import_all functionality is fixed.
  • If a patch cannot be applied immediately, restrict the execution of the MicroPython interpreter to a sandboxed environment, limiting file system access and denying execution by untrusted users to reduce the chances of triggering the flaw.
  • Actively monitor the interpreter process for abnormal memory behavior or crash logs, and consider disabling or sanitizing external input that could invoke mp_import_all during early stages of an update.

Generated by OpenCVE AI on April 18, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:micropython:micropython:*:*:*:*:*:*:*:*

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Micropython
Micropython micropython
Vendors & Products Micropython
Micropython micropython

Fri, 06 Feb 2026 06:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.
Title micropython runtime.c mp_import_all memory corruption
Weaknesses CWE-119
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Micropython Micropython
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:22:01.000Z

Reserved: 2026-02-05T17:09:46.272Z

Link: CVE-2026-1998

cve-icon Vulnrichment

Updated: 2026-02-12T15:09:00.777Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T07:16:12.553

Modified: 2026-02-17T19:15:46.333

Link: CVE-2026-1998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses