Skip to main content

Mediatek Chipset CVE-2026-20432

| EUVDEUVD-2026-19566 HIGH
Out-of-bounds Write (CWE-787)
2026-04-07 MediaTek
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 03:45 euvd
EUVD-2026-19566
Analysis Generated
Apr 07, 2026 - 03:45 vuln.today
CVE Published
Apr 07, 2026 - 03:25 nvd
HIGH 8.0

DescriptionCVE.org

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461.

AnalysisAI

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.

Technical ContextAI

This vulnerability resides in the modem firmware layer of MediaTek chipsets, specifically in cellular baseband processing components that handle communication protocol stacks for mobile networks (LTE/5G). The CWE-787 out-of-bounds write occurs due to missing bounds validation when processing data from cellular base stations, allowing buffer overflow conditions. The affected CPE identifier cpe:2.3:a:mediatek,_inc.:mediatek_chipset encompasses modem implementations across flagship (MT69xx), mid-range (MT68xx), and automotive/IoT (MT87xx) product lines. The modem subsystem operates at high privilege levels with direct hardware access, making memory corruption vulnerabilities particularly severe. The adjacent network attack vector (AV:A) indicates exploitation requires the attacker to operate within radio frequency range of the target device, effectively positioning a rogue base station that masquerades as legitimate cellular infrastructure to trigger the vulnerability during protocol negotiation or data handling phases.

RemediationAI

Apply vendor-released patch MOLY01406170 as documented in MediaTek Product Security Bulletin April 2026 available at https://corp.mediatek.com/product-security-bulletin/April-2026. Device manufacturers (OEMs) integrating affected MediaTek chipsets must incorporate this modem firmware update into their device software packages and distribute through normal update channels. End users should install security updates provided by their device manufacturer as soon as available, checking Settings > System > System Update or equivalent paths depending on Android OEM implementation. Organizations managing mobile device fleets should prioritize devices with affected chipsets for firmware updates through mobile device management platforms. As interim risk mitigation while awaiting patches, organizations with high-security requirements may implement network monitoring to detect rogue base station activity using cellular network analysis tools, though this provides limited protection and does not address the underlying vulnerability. Disabling automatic network selection and manually selecting trusted carriers reduces but does not eliminate exposure to rogue base station attacks.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

CVE-2026-20431 MEDIUM
6.5 Apr 07

Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err

Share

CVE-2026-20432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy