CVE-2024-8948
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-8948
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8948.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-8948
- Aliases
- Downstream
- Published
- 2024-09-17T19:15:29.747Z
- Modified
- 2025-11-16T12:08:32.734316Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpzasbytes of the file py/objint.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 908ab1ceca15ee6fd0ef82ca4cba770a3ec41894. It is recommended to apply a patch to fix this issue. In micropython objint component, converting zero from int to bytes leads to heap buffer-overflow-write at mpzasbytes.
- References
Affected packages
Git / github.com/micropython/micropython
Affected ranges
- Type
- GIT
- Repo
- https://github.com/micropython/micropython
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0
v1.0-rc1
v1.0.1
v1.1
v1.1.1
v1.10
v1.11
v1.12
v1.13
v1.14
v1.15
v1.16
v1.17
v1.18
v1.19
v1.19.1
v1.2
v1.20.0
v1.21.0
v1.22.0
v1.22.0-preview
v1.23.0
v1.23.0-preview
v1.24.0-preview
v1.3
v1.3.1
v1.3.10
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.5
v1.5.1
v1.5.2
v1.6
v1.7
v1.8
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.9
v1.9.1
v1.9.2
v1.9.3
v1.9.4
Database specific
vanir_signatures
[
{
"digest": {
"length": 352.0,
"function_hash": "49453144512293457249410937369704661746"
},
"id": "CVE-2024-8948-095135b0",
"target": {
"function": "mp_obj_int_to_bytes_impl",
"file": "py/objint_longlong.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 215.0,
"function_hash": "82414365710170086972214401516403803350"
},
"id": "CVE-2024-8948-206e7c7e",
"target": {
"function": "mp_obj_int_to_bytes_impl",
"file": "py/objint_mpz.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"240764865457314554996086594671908307092",
"171305254523541278175680103753631570610",
"137359274097526980861997051233237938696",
"235331098763796619437566542097745851269",
"64228189927734972433844472166734206997",
"108731025643498703841517896671937497333",
"239472469034903521383119931649983550467",
"327879860115184658589794305588390211302",
"315104926869624633509794041451676350086",
"322630392243212087323169286325672666830"
]
},
"id": "CVE-2024-8948-91aebef0",
"target": {
"file": "py/mpz.h"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"198600163651652356893457476236927127122",
"250111303815993995058780437679798167414",
"174305722198746996037804726886613045148",
"84818618404643049005995228934343152126",
"134606503306975541410755571527375839327",
"103559837720270446965758369076170175344",
"44896566831258871227723966908132698610"
]
},
"id": "CVE-2024-8948-97eca7df",
"target": {
"file": "py/objint_mpz.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"120145040053965508911316494003073332150",
"244019856248452144399491860198402756927",
"278370846440818969006058797721319115496",
"96643418525220343826722440213111016291",
"196573866780012353931098546768450319963",
"291366795443993236583259726243249781264",
"302208029058680704359860983310088648341",
"240097800565976445660481151752213789835",
"280400532117715381707253943163030433295",
"138939821756511278567607551468950889338",
"191697915849327049634300210352011391641",
"304773945195587777148785811209770821388",
"290693945206202265735311643251025336296",
"212723979602651019874861908347704549393",
"64673186796976382316212267485732732753",
"315558949201425137271732190875425792759",
"27137869323843042998001953092139514678",
"236629731720731442608519029142161539544",
"11769211352205247355850702716484977257",
"275443108075848871514266065296459430765",
"293949540968280903538352693917672011553",
"108587633537507210242609878158511307392",
"129984067640990573909797111107185802360",
"399967116631071530115791102328874849",
"176153233063437955479332261773743664135",
"115942372047937939058023176841528065574",
"328632384183704483236497569988856089217",
"147536600659739821204079588423772294356",
"236231845068500488031373809206879704442",
"317577408893416698879549548366546674106",
"196536581343039521726131946054471019164",
"183292891823518295460848708674851846429"
]
},
"id": "CVE-2024-8948-9e9a46e7",
"target": {
"file": "py/mpz.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"length": 751.0,
"function_hash": "162894037053660095914018449401936882909"
},
"id": "CVE-2024-8948-a423d4e0",
"target": {
"function": "mpz_as_bytes",
"file": "py/mpz.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"181893145542623236155880138535561864354",
"51977466071704503110401762488829753478",
"133449040390787732775153066489828088795",
"95526237735391312991518495724086441629",
"313867203205233948952970238760700696708",
"33501305917277878184880521830234254403",
"63014318331792517735224993731327981449"
]
},
"id": "CVE-2024-8948-ab5c6db8",
"target": {
"file": "py/misc.h"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"199923670836101400985549945741066157006",
"32236511569594316103249996256312329216",
"131655327311978436142712132435023711170",
"203393045325926305708224415146536405425",
"77736346455363621338764305219639489982",
"68289620440015378359056537632689255184",
"269281759200254248430270372209923698318",
"260254878370710579052395312816388752465",
"85379909796824522225161455796580324541",
"291337049379008676676081025483671535656",
"255163852549424857624515219094682752409"
]
},
"id": "CVE-2024-8948-ac837bb7",
"target": {
"file": "py/objint_longlong.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"158117844349039680759329947985221046412",
"245742790556823848331496674864197178250",
"32301643616370418127885825161300406259",
"270901059253039383709341708610929881879",
"126875224947790813311428702625308159777",
"132967312896793069815672556355715170392",
"45513769181813890532210268524222420504",
"309938477441122215988499892625429362124",
"87881277809764881180594346513870779126",
"107652946969934288543146560413998541070",
"287422445275893647030737226627637390462",
"246228737504441366433992861634492787516",
"148247910299840855851263396111543407794",
"195523408118153229579677004320077714440",
"219956224965339239815964108635716138205",
"239533980474243051142849385967509815044",
"214596506986775544796716189410765420341",
"47507245202626185978783349231857944652",
"10042244560294428244157169438990087549",
"60392097066490295825891800374656773087",
"254486098027360741500055002747770401550",
"339029056641294036660397968667025722964"
]
},
"id": "CVE-2024-8948-cd2ec3f1",
"target": {
"file": "py/objint.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"71470621531692675115757047028953352740",
"157971563346786908315953820395385324095",
"280635664758112880581126098149357043311",
"270836460372121911610312942511714001471"
]
},
"id": "CVE-2024-8948-d82e3865",
"target": {
"file": "py/objint.h"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"length": 669.0,
"function_hash": "170087834968604457596593602084613068981"
},
"id": "CVE-2024-8948-f80efedb",
"target": {
"function": "int_to_bytes",
"file": "py/objint.c"
},
"signature_version": "v1",
"source": "https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba770a3ec41894",
"signature_type": "Function",
"deprecated": false
}
]