MicroPython objslice.c slice_indices heap-based overflow
Description
A heap-buffer-overflow in MicroPython's slice_indices function allows remote attackers to cause memory corruption via a type confusion between float and integer objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow in MicroPython's slice_indices function allows remote attackers to cause memory corruption via a type confusion between float and integer objects.
Vulnerability
A critical heap-buffer-overflow vulnerability exists in MicroPython up to version 1.21.0, specifically in the slice_indices function in objslice.c [1][2]. The bug arises from a type-confusion issue: when slice.indices() is called with a float argument (e.g., slice_obj.indices(0.0)), the function mp_obj_int_get_checked misinterprets the internal mp_obj_float structure as an mp_obj_int, reading the mpz field from an incorrect offset [2][3]. This leads to out-of-bounds memory access on the heap, as the float object is smaller than the expected int structure [2].
Exploitation
An attacker can trigger this vulnerability remotely by sending specially crafted Python code that invokes slice.indices() with a float argument [2]. No authentication is required, and the attack can be performed over the network if MicroPython is used in a context that accepts untrusted code—for example, in a web server, IoT device, or REPL accessible over a network [1][2]. A proof-of-concept exploit has been published [2]. The exploitation does not require any special user interaction beyond executing the malicious code.
Impact
Successful exploitation results in a heap-buffer-overflow, which can corrupt adjacent heap memory, potentially leading to arbitrary code execution or a denial of service [1][2]. The type confusion allows the attacker to read or write memory beyond the bounds of the original allocation, compromising confidentiality, integrity, and availability [2]. The impact is rated as critical with a CVSS score indicating remote exploitability [1].
Mitigation
The vulnerability is fixed in MicroPython version 1.22.0, released on 2023-12-28 [1][3]. Users should upgrade to this version immediately. The fix validates that the argument to indices() is an integer, preventing the type confusion [3]. For environments where upgrading is not immediately possible, the only available workaround is to avoid passing float values to slice.indices() in any user-supplied code, although this may not be practical in all deployment scenarios [2][3]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
- Release SSL support in asyncio, sorted qstr pools, common machine module bindings · micropython/micropython
- heap-buffer-overflow: mis-interpretation of float as int at slice_indices
- py/objslice: Validate that the argument to indices() is an integer. by dpgeorge · Pull Request #13039 · micropython/micropython
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.21.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `slice_indices` function in `objslice.c` does not properly validate integer arguments, leading to a heap-based buffer overflow."
Attack vector
An attacker can trigger this vulnerability remotely by providing crafted arguments to the `slice_indices` function. This manipulation can lead to a heap-based buffer overflow, potentially allowing for arbitrary code execution or denial of service. The exploit has been publicly disclosed and may be actively used.
Affected code
The vulnerability resides within the `slice_indices` function located in the file `objslice.c`. This function is responsible for calculating slice indices and is susceptible to improper input validation.
What the fix does
The advisory recommends upgrading to MicroPython version 1.22.0 to address this issue. This version likely includes a patch that validates the integer arguments passed to the `slice_indices` function, preventing the out-of-bounds write that causes the heap-based buffer overflow. The patch notes indicate that `objslice: validate that the argument to indices() is an integer` was a change made in this release.
Preconditions
- inputThe attacker must be able to control the integer arguments passed to the `slice_indices` function.
Reproduction
The GitHub issue [ref_id=1] provides a link to a discussion about the vulnerability, and the release notes for v1.22.0 mention a fix related to `objslice: validate that the argument to indices() is an integer`, but specific reproduction steps are not detailed in the provided information.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/micropython/micropython/pull/13039/commits/f397a3ec318f3ad05aa287764ae7cef32202380fmitreissue-trackingpatch
- github.com/micropython/micropython/releases/tag/v1.22.0mitrepatch
- github.com/micropython/micropython/issues/13007mitreexploitissue-tracking
- github.com/micropython/micropython/pull/13039mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4E2HYWCZB5R4SHY4SZZZSFDMD64N4SOZ/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3WWY5JY4RTJE25APB4REGDUDPATG6H7/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEK46QAJOXXDZOWOIE2YACUOCZFWOBCK/mitre
News mentions
0No linked articles in our index yet.