CVE-2024-8946

Name of the Vulnerable Software and Affected Versions: MicroPython version 1.23.0

Description: A critical issue has been found in the VFS Unmount Handler component, specifically in the function mp vfs umount of the file extmod/vfs.c. This issue leads to a heap-based buffer overflow. The attack can be launched remotely. The comparison between the mounted path string and the unmount requested string is based solely on the length of the unmount string, which can lead to a heap buffer overflow read.

Recommendations: To fix this issue, it is recommended to apply a patch, specifically the one with the name 29943546343c92334e8518695a11fc0e2ceea68b. As a temporary workaround, consider disabling the mp vfs umount function until a patch is available. Restrict access to the extmod/vfs.c file to minimize the risk of exploitation. Avoid using the VFS unmount process until the issue is resolved.