1. Ubuntu Security Notices
  2. USN-7472-1

USN-7472-1: Micropython vulnerabilities

Publication date

1 May 2025

Overview

Several security issues were fixed in micropython.

Releases

Packages

  • micropython - Implementation of Python 3.x on microcontrollers and small embedded systems.

Details

Junwha Hong and Wonil Jang discovered that Micropython incorrectly handled
the length of a buffer in mp_vfs_umount, leading to a heap-based buffer
overflow vulnerability. If a user or automated system were tricked into
opening a specially crafted file, an attacker could possibly use this issue
to cause a denial of service or possibly execute arbitrary code.
(CVE-2024-8946)

Junwha Hong and Wonil Jang discovered that Micropython incorrectly handled
memory, leading to a use-after-free vulnerability under certain
circumstances. If a user or automated system were tricked into opening a
specially crafted file, an attacker could possibly use this issue to
cause a denial of service or possibly execute arbitrary code.
(CVE-2024-8947)

It was discovered that Middleware USB Host MCU Component incorrectly
handled memory, leading to a buffer overflow...

Junwha Hong and Wonil Jang discovered that Micropython incorrectly handled
the length of a buffer in mp_vfs_umount, leading to a heap-based buffer
overflow vulnerability. If a user or automated system were tricked into
opening a specially crafted file, an attacker could possibly use this issue
to cause a denial of service or possibly execute arbitrary code.
(CVE-2024-8946)

Junwha Hong and Wonil Jang discovered that Micropython incorrectly handled
memory, leading to a use-after-free vulnerability under certain
circumstances. If a user or automated system were tricked into opening a
specially crafted file, an attacker could possibly use this issue to
cause a denial of service or possibly execute arbitrary code.
(CVE-2024-8947)

It was discovered that Middleware USB Host MCU Component incorrectly
handled memory, leading to a buffer overflow vulnerability, If a user or
automated system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to cause a denial of service or
possibly execute arbitrary code. (CVE-2021-42553)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
24.10 oracular micropython –  1.22.1+ds-1ubuntu0.24.10.1
24.04 noble micropython –  1.22.1+ds-1ubuntu0.24.04.1~esm1  
22.04 jammy micropython –  1.17+ds-1.1ubuntu2+esm1  
20.04 focal micropython –  1.12-1ubuntu0.1~esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›