Nixpkgs Security Tracker

Published

Permalink CVE-2026-1998

updated 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 1 day ago
@LeSuisse accepted 2 weeks ago
@LeSuisse published on GitHub 2 weeks ago

micropython runtime.c mp_import_all memory corruption

A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.

Affected products

micropython

==1.7
==1.14
==1.6
==1.21
==1.4
==1.25
==1.3
==1.27.0
==1.2
==1.11
==1.20
==1.1
==1.9
==1.24
==1.19
==1.16
==1.0
==1.23
==1.22
==1.18
==1.26
==1.5
==1.10
==1.15
==1.8
==1.17
==1.12
==1.13

Matching in nixpkgs

pkgs.micropython

Lean and efficient Python implementation for microcontrollers and constrained systems

nixos-unstable 1.26.0
- nixpkgs-unstable 1.26.0
- nixos-unstable-small 1.26.0
nixos-25.11 1.26.0
- nixos-25.11-small 1.26.0
- nixpkgs-25.11-darwin 1.26.0

Package maintainers

@prusnak Pavol Rusnak <pavol@rusnak.io>
@stigtsp Stig Palmquist <stig@stig.io>

Upstream issue: https://github.com/micropython/micropython/issues/18639
Upstream patch: https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6

Suggestions search

Affected products

Matching in nixpkgs

pkgs.micropython

Package maintainers