Volerion logoVolerion
Volerion logoVolerion

MicroPython Memory Corruption Vulnerability in Import Handling

Vulnerability

A memory corruption vulnerability has been identified in MicroPython versions prior to 1.27.0. The issue arises in the 'mp_import_all' function within 'py/runtime.c', where the import mechanism incorrectly processes certain object types, leading to a segmentation fault. This vulnerability requires local exploitation and has been assigned CVE-2026-1998.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the MicroPython runtime. This disruption can lead to a denial-of-service condition, where the process terminates or the device resets.

Reproduction

The vulnerability can be reproduced by compiling MicroPython with the GCC compiler, enabling AddressSanitizer, and then executing a script that uses 'from <malformed_obj> import *' syntax. This can be done by injecting a user-defined class into the import system that does not conform to expected module structures.

Remediation

Users are advised to update to MicroPython version 1.27.0 or later, where this vulnerability has been fixed.

Added: Feb 6, 2026, 7:34 AM
Updated: Feb 6, 2026, 3:52 PM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
2.5
exploitability
4.2
remediation
7.7
relevance
2.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.