{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1998", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-05T17:09:46.272Z", "datePublished": "2026-02-06T06:02:08.671Z", "dateUpdated": "2026-02-23T09:22:01.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:22:01.000Z"}, "title": "micropython runtime.c mp_import_all memory corruption", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "n/a", "product": "micropython", "versions": [{"version": "1.0", "status": "affected"}, {"version": "1.1", "status": "affected"}, {"version": "1.2", "status": "affected"}, {"version": "1.3", "status": "affected"}, {"version": "1.4", "status": "affected"}, {"version": "1.5", "status": "affected"}, {"version": "1.6", "status": "affected"}, {"version": "1.7", "status": "affected"}, {"version": "1.8", "status": "affected"}, {"version": "1.9", "status": "affected"}, {"version": "1.10", "status": "affected"}, {"version": "1.11", "status": "affected"}, {"version": "1.12", "status": "affected"}, {"version": "1.13", "status": "affected"}, {"version": "1.14", "status": "affected"}, {"version": "1.15", "status": "affected"}, {"version": "1.16", "status": "affected"}, {"version": "1.17", "status": "affected"}, {"version": "1.18", "status": "affected"}, {"version": "1.19", "status": "affected"}, {"version": "1.20", "status": "affected"}, {"version": "1.21", "status": "affected"}, {"version": "1.22", "status": "affected"}, {"version": "1.23", "status": "affected"}, {"version": "1.24", "status": "affected"}, {"version": "1.25", "status": "affected"}, {"version": "1.26", "status": "affected"}, {"version": "1.27.0", "status": "affected"}], "cpes": ["cpe:2.3:a:micropython:micropython:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-05T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-18T01:03:36.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Oneafter (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344546", "name": "VDB-344546 | micropython runtime.c mp_import_all memory corruption", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344546", "name": "VDB-344546 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.743396", "name": "Submit #743396 | micropython 0fd0843 Memory Corruption", "tags": ["third-party-advisory"]}, {"url": "https://github.com/micropython/micropython/issues/18639", "tags": ["issue-tracking"]}, {"url": "https://github.com/micropython/micropython/pull/18671", "tags": ["issue-tracking"]}, {"url": "https://github.com/micropython/micropython/issues/18639#issue-3780651410", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6", "tags": ["patch"]}, {"url": "https://github.com/micropython/micropython/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T15:08:52.250028Z", "id": "CVE-2026-1998", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:09:10.411Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1998", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T15:08:52.250028Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:09:00.777Z"}}], "cna": {"tags": ["x_open-source"], "title": "micropython runtime.c mp_import_all memory corruption", "credits": [{"lang": "en", "type": "reporter", "value": "Oneafter (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:micropython:micropython:*:*:*:*:*:*:*:*"], "vendor": "n/a", "product": "micropython", "versions": [{"status": "affected", "version": "1.0"}, {"status": "affected", "version": "1.1"}, {"status": "affected", "version": "1.2"}, {"status": "affected", "version": "1.3"}, {"status": "affected", "version": "1.4"}, {"status": "affected", "version": "1.5"}, {"status": "affected", "version": "1.6"}, {"status": "affected", "version": "1.7"}, {"status": "affected", "version": "1.8"}, {"status": "affected", "version": "1.9"}, {"status": "affected", "version": "1.10"}, {"status": "affected", "version": "1.11"}, {"status": "affected", "version": "1.12"}, {"status": "affected", "version": "1.13"}, {"status": "affected", "version": "1.14"}, {"status": "affected", "version": "1.15"}, {"status": "affected", "version": "1.16"}, {"status": "affected", "version": "1.17"}, {"status": "affected", "version": "1.18"}, {"status": "affected", "version": "1.19"}, {"status": "affected", "version": "1.20"}, {"status": "affected", "version": "1.21"}, {"status": "affected", "version": "1.22"}, {"status": "affected", "version": "1.23"}, {"status": "affected", "version": "1.24"}, {"status": "affected", "version": "1.25"}, {"status": "affected", "version": "1.26"}, {"status": "affected", "version": "1.27.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-05T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-18T01:03:36.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344546", "name": "VDB-344546 | micropython runtime.c mp_import_all memory corruption", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344546", "name": "VDB-344546 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.743396", "name": "Submit #743396 | micropython 0fd0843 Memory Corruption", "tags": ["third-party-advisory"]}, {"url": "https://github.com/micropython/micropython/issues/18639", "tags": ["issue-tracking"]}, {"url": "https://github.com/micropython/micropython/pull/18671", "tags": ["issue-tracking"]}, {"url": "https://github.com/micropython/micropython/issues/18639#issue-3780651410", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6", "tags": ["patch"]}, {"url": "https://github.com/micropython/micropython/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:22:01.000Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1998", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:22:01.000Z", "dateReserved": "2026-02-05T17:09:46.272Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-06T06:02:08.671Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:micropython:micropython:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAE0EFBB-AF36-42CE-A7ED-0FE76B15691A", "versionEndIncluding": "1.27.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue."}, {"lang": "es", "value": "Se ha encontrado una falla en micropython hasta la versi\u00f3n 1.27.0. Esta vulnerabilidad afecta a la funci\u00f3n mp_import_all del archivo py/runtime.c. Esta manipulaci\u00f3n causa corrupci\u00f3n de memoria. El ataque necesita ser lanzado localmente. El exploit ha sido publicado y puede ser usado. Nombre del parche: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. Se sugiere instalar un parche para abordar este problema."}], "id": "CVE-2026-1998", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-06T07:16:12.553", "references": [{"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/micropython/micropython/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/micropython/micropython/issues/18639"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/micropython/micropython/issues/18639#issue-3780651410"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/micropython/micropython/pull/18671"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.344546"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.344546"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.743396"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:39:12.121479+00:00", "value": {"mitigation_remediation": ["Update MicroPython to a patched version or apply the official patch commit 570744d06c5ba9dba59b4c3f432ca4f0abd396b6, ensuring that the mp_import_all functionality is fixed.", "If a patch cannot be applied immediately, restrict the execution of the MicroPython interpreter to a sandboxed environment, limiting file system access and denying execution by untrusted users to reduce the chances of triggering the flaw.", "Actively monitor the interpreter process for abnormal memory behavior or crash logs, and consider disabling or sanitizing external input that could invoke mp_import_all during early stages of an update."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "MicroPython, a lightweight Python interpreter for embedded devices, is affected for all releases up to and including 1.27.0. The vulnerability is catalogued in the CPE database under cpe:2.3:a:micropython:micropython:*:*:*:*:*:*:* and is relevant to any deployment that runs the mp_import_all routine locally.", "description_and_impact": "A flaw was identified in MicroPython versions up to 1.27.0 that targets the mp_import_all function within py/runtime.c. Manipulating this function can corrupt memory in the interpreter. The impact of this memory corruption could lead to a crash of the interpreter or, at a minimum, an unauthorized manipulation of internal state. The CVE description does not explicitly confirm arbitrary code execution, but the nature of the flaw and the fact that an exploit has been published indicate a significant risk if an attacker can trigger it.", "risk_and_exploitability": "The CVSS score of 4.8 classifies this as a moderate severity issue. The EPSS score is reported as <1%, indicating a low probability of exploitation in the wild; however, the vulnerability is not listed in the CISA KEV catalog. The attack vector requires local access, meaning an adversary must execute code or input data directly on the device hosting the MicroPython interpreter. Exploit code is publicly available on GitHub, and the corresponding patch has been committed, but the lack of a high EPSS suggests that widespread exploitation has not yet occurred. Nonetheless, the possibility of a local attacker using the flaw to corrupt memory\u2014potentially leading to a denial of service or upstream impact on co-located processes\u2014warrants prompt remedial action."}}}}, "created": "2026-02-09T10:52:37.170928+00:00", "updated": "2026-04-18T13:45:45.674756+00:00", "vendors": ["micropython", "micropython$PRODUCT$micropython"]}