PT-2024-39333 · Unknown · Micropython

Qbit

Published

2024-09-17

Updated

2024-09-23

CVE-2024-8948

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: MicroPython version 1.23.0

Description: A critical issue has been found, affecting the mpz as bytes function of the file py/objint.c. This issue leads to a heap-based buffer overflow. The attack can be launched remotely. The problem arises when converting zero from int to bytes, resulting in a heap buffer-overflow-write at mpz as bytes.

Recommendations: For MicroPython version 1.23.0, apply a patch to fix this issue, specifically the patch identified as 908ab1ceca15ee6fd0ef82ca4cba770a3ec41894. As a temporary workaround, consider disabling the mpz as bytes function until a patch is available.

Exploit

Fix

Memory Corruption

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-122

Related Identifiers

CVE-2024-8948

GHSA-VH3X-525M-JP4R

PYSEC-2024-87

PYSEC-2024-88

PYSEC-2024-89

Affected Products

Micropython

PT-2024-39333 · Unknown · Micropython

CVE-2024-8948

Weakness Enumeration

Related Identifiers

Affected Products

References · 22