VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 17, 2024· Updated Sep 17, 2024

MicroPython VFS Unmount vfs.c mp_vfs_umount heap-based overflow

CVE-2024-8946

Description

A critical heap-buffer-overflow flaw in MicroPython 1.23.0's VFS unmount handler due to incorrect length-based string comparison allows remote arbitrary code execution or denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A critical heap-buffer-overflow flaw in MicroPython 1.23.0's VFS unmount handler due to incorrect length-based string comparison allows remote arbitrary code execution or denial of service.

Vulnerability

Description CVE-2024-8946 is a critical heap-buffer-overflow vulnerability in MicroPython 1.23.0, specifically in the mp_vfs_umount function within extmod/vfs.c [1]. The root cause is that when comparing the mounted path string with the user-supplied unmount path string, the code uses the length of the unmount string as the comparison boundary. This can lead to reading beyond the bounds of a shorter mounted path buffer, resulting in a heap-based buffer overflow [2].

Exploitation

Scenario An attacker can exploit this vulnerability remotely by sending a specially crafted unmount request that is longer than the actual mounted path [1]. The bug is triggered whenever the unmount string length exceeds the length of the mount string it is compared against [2]. The provided proof of concept (PoC) demonstrates unmounting a path like /lfs with an extremely long unmount string, causing the overflow [2]. No authentication is required, and the attack can be launched over the network if the MicroPython device exposes the VFS unmount interface.

Impact

Successful exploitation could allow an attacker to cause a denial of service (crash) or potentially execute arbitrary code within the context of the MicroPython runtime, depending on heap layout and memory protections [1][2]. The bug is classified as critical with a CVSS v4.0 score reflecting high impact on confidentiality, integrity, and availability [1].

Mitigation

The fix is available in commit 29943546343c92334e8518695a11fc0e2ceea68b within the MicroPython repository [1]. Users are strongly advised to apply the patch or update to a version that includes it [1]. No workaround is documented; the safest mitigation is to update the software.

References
  1. NVD - CVE-2024-8946
  2. heap-buffer-overflow: incorrect length choice on memcpy at vfs unmount

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
micropython-copyPyPI
<= 3.3.3.post3
micropython-ioPyPI
<= 0.1
micropython-os-pathPyPI
<= 0.1.3
micropython-stringPyPI
<= 0.1

Affected products

5

Patches

1
29943546343c

extmod/vfs: Fix buffer overflow of string comparison in umount.

https://github.com/micropython/micropythonJunwhaJan 2, 2024via ghsa
commit
1 file changed · +1 1
  • extmod/vfs.c+1 1 modified
    @@ -273,7 +273,7 @@ mp_obj_t mp_vfs_umount(mp_obj_t mnt_in) {
         mnt_str = mp_obj_str_get_data(mnt_in, &mnt_len);
     }
     for (mp_vfs_mount_t **vfsp = &MP_STATE_VM(vfs_mount_table); *vfsp != NULL; vfsp = &(*vfsp)->next) {
-        if ((mnt_str != NULL && !memcmp(mnt_str, (*vfsp)->str, mnt_len + 1)) || (*vfsp)->obj == mnt_in) {
+        if ((mnt_str != NULL && mnt_len == (*vfsp)->len && !memcmp(mnt_str, (*vfsp)->str, mnt_len)) || (*vfsp)->obj == mnt_in) {
             vfs = *vfsp;
             *vfsp = (*vfsp)->next;
             break;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.