{"id":"CVE-2026-1998","details":"A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.","modified":"2026-04-12T20:21:42.969712Z","published":"2026-02-06T07:16:12.553Z","related":["openSUSE-SU-2026:10156-1","openSUSE-SU-2026:20199-1"],"references":[{"type":"WEB","url":"https://github.com/micropython/micropython/"},{"type":"ADVISORY","url":"https://vuldb.com/?id.344546"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.344546"},{"type":"REPORT","url":"https://github.com/micropython/micropython/issues/18639"},{"type":"REPORT","url":"https://github.com/micropython/micropython/issues/18639#issue-3780651410"},{"type":"REPORT","url":"https://github.com/micropython/micropython/pull/18671"},{"type":"FIX","url":"https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6"},{"type":"EVIDENCE","url":"https://vuldb.com/?submit.743396"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dpgeorge/micropython","events":[{"introduced":"0"},{"fixed":"570744d06c5ba9dba59b4c3f432ca4f0abd396b6"}]},{"type":"GIT","repo":"https://github.com/micropython/micropython","events":[{"introduced":"0"},{"last_affected":"78ff170de9e32c79db6e64d3e33d2bd60002bdcd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.27.0"}]}}],"versions":["v1.0","v1.0-rc1","v1.0.1","v1.1","v1.1.1","v1.10","v1.11","v1.12","v1.13","v1.14","v1.15","v1.16","v1.17","v1.18","v1.19","v1.19.1","v1.2","v1.20.0","v1.21.0","v1.22.0","v1.22.0-preview","v1.23.0","v1.23.0-preview","v1.24.0","v1.24.0-preview","v1.25.0","v1.25.0-preview","v1.26.0","v1.26.0-preview","v1.27.0","v1.27.0-preview","v1.28.0-preview","v1.3","v1.3.1","v1.3.10","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v1.4","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.5","v1.5.1","v1.5.2","v1.6","v1.7","v1.8","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.9","v1.9.1","v1.9.2","v1.9.3","v1.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1998.json","vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2026-1998-147965e6","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["314669114127214206941191837999180491419","65734818014945278580344814902558745899","177405024897822420457758788821448099790","225847155566421643133302173562872750889","234598909790281932601038328374309982589","208159626100173812426223873924061901334","252008842346387433472178132375686175884","122239347192010381286493971473416362239","7032513319386658241733258425947740844","115679024746737187962769538353380490362","177450214957797854408443010396088667530","306912640794738765172445825369295727916","50376017993905550568569054536298303313","198035267221702008425483894545954342490","8226933511286249839914699664771962011","70388691493598608008399969543868429077"]},"source":"https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6","target":{"file":"py/runtime.c"}},{"deprecated":false,"signature_version":"v1","id":"CVE-2026-1998-38e0d7a6","signature_type":"Function","digest":{"length":785,"function_hash":"30212119845419580799864898971790395502"},"source":"https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6","target":{"file":"py/runtime.c","function":"mp_import_all"}}],"vanir_signatures_modified":"2026-04-12T20:21:42Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}