Skip to main content

MediaTek Modem Chipset CVE-2026-20450

| EUVDEUVD-2026-26890 MEDIUM
Reachable Assertion (CWE-617)
2026-05-04 MediaTek
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 14:22 vuln.today
CVSS changed
May 04, 2026 - 14:22 NVD
6.5 (None) 6.5 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26890
Analysis Generated
May 04, 2026 - 07:00 vuln.today
CVE Published
May 04, 2026 - 05:41 nvd
MEDIUM 6.5

DescriptionCVE.org

In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01753620; Issue ID: MSV-6100.

AnalysisAI

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via incorrect error handling when a user equipment device connects to a rogue base station, requiring no authentication or user interaction. The vulnerability affects a broad range of MediaTek cellular chipsets (MT6855, MT6985, MT8793, and others) and carries a CVSS 6.5 score reflecting network-adjacent attack vector and high availability impact. Patch MSV-6100 / MOLY01753620 is available from MediaTek.

Technical ContextAI

The vulnerability resides in the modem firmware's radio access network (RAN) stack, specifically in the handling of malformed or unexpected protocol messages from base station connections. CWE-617 (Reachable Assertion) indicates the root cause is an assertion or validation check that can be triggered to cause a crash when the modem receives crafted signals or control messages from a rogue base station. The attack vector is adjacent (AV:A) rather than purely network because the modem must be in active communication with the attacker-controlled base station; however, any device in cellular coverage of such a station is at risk. The issue affects MediaTek's modular chipset design, which powers Android devices, IoT equipment, and telecommunications infrastructure globally. CPE data confirms the vulnerability spans multiple modem architecture families (Helio, Dimensity, and other MediaTek lines).

RemediationAI

Apply MediaTek firmware patch MOLY01753620 (Patch ID MSV-6100) released in May 2026 via the standard OTA update mechanism for devices using affected chipsets. End users should enable automatic system updates and contact their device manufacturer (Samsung, Xiaomi, OPPO, Vivo, Qualcomm reference designs, telecom vendors) for specific firmware version numbers that include this fix, as MediaTek patch identifiers map to vendor-specific release versions. For infrastructure operators (cellular carriers, private network operators), coordinate with MediaTek and equipment vendors for modem firmware updates to enterprise gateways and base station equipment. No workaround exists to prevent the crash other than avoiding connection to untrusted networks, which is impractical for mobile devices. The modem will automatically reconnect after crash, resulting in brief service interruption but not data loss. Apply patches as part of regular maintenance windows rather than emergency response, given the low exploitation likelihood (EPSS 0.08%) and non-critical impact.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20431 MEDIUM
6.5 Apr 07

Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err

Share

CVE-2026-20450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy