Skip to main content

Mediatek Chipset CVE-2026-20433

| EUVDEUVD-2026-19568 HIGH
Out-of-bounds Write (CWE-787)
2026-04-07 MediaTek
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 03:45 euvd
EUVD-2026-19568
Analysis Generated
Apr 07, 2026 - 03:45 vuln.today
CVE Published
Apr 07, 2026 - 03:25 nvd
HIGH 8.8

DescriptionCVE.org

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460.

AnalysisAI

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack s

Technical ContextAI

This vulnerability resides in the MediaTek modem baseband processor firmware, specifically in code handling cellular network communications. The root cause is CWE-787 (Out-of-bounds Write), where the modem fails to validate buffer boundaries when processing data from cellular base stations. MediaTek chipsets integrate modem, application processor, and connectivity functions on a single SoC; the affected modem component operates at high privilege levels with direct hardware access. The vulnerability spans 63 distinct chipset models including flagship (MT6989, MT6990, MT6991), mid-range (MT6833, MT6877, MT6985), and specialized IoT variants (MT2735, MT2737, MT8668-MT8893 series). The CVSS vector AV:A (Adjacent Network) reflects the cellular radio attack surface, requiring the attacker to operate a rogue base station within radio range of victim devices. The missing bounds check allows malicious Over-The-Air (OTA) cellular protocol messages to write beyond allocated memory buffers during protocol stack processing, potentially corrupting modem firmware memory structures.

RemediationAI

MediaTek released firmware patch MOLY01088681 addressing the modem bounds check vulnerability, documented in their April 2026 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/April-2026. End users cannot directly apply MediaTek patches; device manufacturers (Samsung, Xiaomi, Oppo, Vivo, Realme, and others) must integrate the modem firmware fix into OEM-specific system updates. Users should immediately check for and install the latest security updates from their device manufacturer, prioritizing devices used in sensitive environments. OEMs should expedite integration of MOLY01088681 into monthly security maintenance releases. For enterprise deployments, Mobile Device Management (MDM) administrators should enforce automatic security updates and verify patch deployment across managed device fleets. As a partial mitigation until patches deploy, organizations can implement network policies restricting device roaming in high-risk geographic areas, though this does not prevent determined attackers with portable rogue base stations. Security teams should monitor for anomalous cellular behavior including unexpected base station connections, signal strength anomalies, or devices repeatedly losing and re-establishing network registration, though sophisticated attacks may not produce detectable signatures.

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

CVE-2026-20431 MEDIUM
6.5 Apr 07

Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err

Share

CVE-2026-20433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy