Login Sign Up

CVE-2026-1998

3.3 LOW
Denial of Service

📋 TL;DR

A memory corruption vulnerability in MicroPython's mp_import_all function allows local attackers to potentially execute arbitrary code or crash the interpreter. This affects MicroPython versions up to 1.27.0. The vulnerability requires local access to the system running MicroPython.

💻 Affected Systems

Products:
  • MicroPython
Versions: Up to and including 1.27.0
Operating Systems: All platforms running MicroPython
Default Config Vulnerable: ⚠️ Yes
Notes: Any device or application using MicroPython up to version 1.27.0 is vulnerable when the mp_import_all function is called.

📦 What is this software?

Micropython by Micropython

View all CVEs affecting Micropython →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise if MicroPython runs with elevated privileges.

🟠

Likely Case

Denial of service through interpreter crash or limited code execution within the MicroPython sandbox.

🟢

If Mitigated

Minimal impact if MicroPython runs in isolated containers with minimal privileges.

🌐 Internet-Facing: LOW - Requires local access, not remotely exploitable.
🏢 Internal Only: MEDIUM - Local attackers could exploit this on systems running vulnerable MicroPython instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access and knowledge of how to trigger the vulnerable function. Published exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in commit 570744d06c5ba9dba59b4c3f432ca4f0abd396b6 and later

Vendor Advisory: https://github.com/micropython/micropython/issues/18639

Restart Required: Yes

Instructions:

1. Update MicroPython to version after 1.27.0 or apply commit 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. 2. Rebuild MicroPython from source. 3. Restart any applications using MicroPython.

🔧 Temporary Workarounds

Disable vulnerable imports

all

Restrict or monitor usage of import operations that trigger mp_import_all

# Review and restrict Python code using wildcard imports

🧯 If You Can't Patch

  • Run MicroPython in isolated containers with minimal privileges
  • Implement strict access controls to prevent unauthorized local users from executing MicroPython code

🔍 How to Verify

Check if Vulnerable:

Check MicroPython version: import sys; print(sys.version)

Check Version:

python3 -c "import sys; print('MicroPython' in sys.version and sys.version_info < (1, 27, 1))"

Verify Fix Applied:

Verify version is newer than 1.27.0 or check if commit 570744d06c5ba9dba59b4c3f432ca4f0abd396b6 is applied in source

📡 Detection & Monitoring

Log Indicators:

  • MicroPython interpreter crashes
  • Memory access violation errors in system logs

Network Indicators:

  • None - local exploitation only

SIEM Query:

Process:micropython AND (EventID:1000 OR EventID:1001) OR Error:memory_corruption

📊 Metadata

CVE ID: CVE-2026-1998
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-119
EPSS Score: 0.02% exploit probability (3.5th percentile)
Published: February 6, 2026
Last Updated: February 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1998, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)