Login Sign Up

CVE-2024-8947

5.6 MEDIUM

📋 TL;DR

This critical vulnerability in MicroPython's objarray component allows attackers to trigger a use-after-free condition when bytes objects are resized and copied into themselves. This could potentially lead to memory corruption, crashes, or arbitrary code execution. Any system running MicroPython 1.22.2 or earlier versions with the vulnerable code is affected.

💻 Affected Systems

Products:
  • MicroPython
Versions: Up to and including 1.22.2
Operating Systems: All platforms running MicroPython
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the py/objarray.c file and affects any MicroPython deployment using bytes objects.

📦 What is this software?

Micropython by Micropython

View all CVEs affecting Micropython →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crashes, denial of service, or memory corruption leading to unstable behavior.

🟢

If Mitigated

Minimal impact if proper memory protections and exploit mitigations are in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Attack can be launched remotely but exploitation appears difficult according to vulnerability description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.23.0

Vendor Advisory: https://github.com/micropython/micropython/releases/tag/v1.23.0

Restart Required: Yes

Instructions:

1. Download MicroPython 1.23.0 from official repository. 2. Replace existing MicroPython installation with new version. 3. Restart any services or devices using MicroPython.

🔧 Temporary Workarounds

Avoid bytes object self-copy operations

all

Modify application code to avoid resizing and copying bytes objects into themselves

🧯 If You Can't Patch

  • Implement strict input validation to prevent malicious bytes object manipulation
  • Deploy memory protection mechanisms like ASLR and DEP to reduce exploit success

🔍 How to Verify

Check if Vulnerable:

Check MicroPython version with 'import sys; print(sys.version)' - if version is 1.22.2 or earlier, system is vulnerable.

Check Version:

import sys; print(sys.version)

Verify Fix Applied:

After upgrade, verify version is 1.23.0 or later using same command.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes
  • Memory access violation errors
  • Unexpected process termination

Network Indicators:

  • Unusual network traffic to MicroPython services
  • Exploit attempt patterns

SIEM Query:

source="*micropython*" AND (event_type="crash" OR event_type="memory_error")

📊 Metadata

CVE ID: CVE-2024-8947
CVSS v3 Score: 5.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-416
Published: September 17, 2024
Last Updated: September 24, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8947, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)