Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504.
AnalysisAI
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege escalation to full system compromise when an attacker already holds System privilege. The vulnerability requires no user interaction and affects 32 MediaTek chipset models. CISA SSVC framework rates technical impact as total; however, EPSS score of 0.02% suggests limited real-world exploitation despite the high CVSS score of 6.7, likely due to the requirement for pre-existing System privilege.
Technical ContextAI
The vulnerability exists in slbc, a component of MediaTek chipsets responsible for secure local buffer operations. Type confusion in this context means the code incorrectly interprets or casts a data type, leading to CWE-843 (Access of Resource Using Incompatible Type - Type Confusion). This type confusion triggers an out-of-bounds write, a memory corruption flaw that allows writing data beyond allocated buffer boundaries. The affected chipsets span multiple product lines (MT8xxx, MT6xxx series), suggesting the vulnerable code path is shared across MediaTek's platform software stack. The local attack vector (AV:L) and high privilege requirement (PR:H - System privilege) indicate this is not a remote vulnerability but rather a privilege escalation within a device already compromised or misused by a privileged actor.
RemediationAI
Apply firmware update corresponding to MediaTek Patch ID ALPS10828685, which addresses the type confusion and out-of-bounds write vulnerability. Device vendors (Samsung, Xiaomi, OPPO, Vivo, etc.) who manufacture phones and tablets using affected MediaTek chipsets must release over-the-air (OTA) firmware updates that incorporate this patch. Users should check their device manufacturer's security bulletin and install all available security updates. No workaround exists for this vulnerability once System privilege is obtained by a malicious actor, as the flaw is in privileged chipset firmware code; mitigation must occur at the firmware level. Organizations managing devices with affected MediaTek chipsets should enforce software update policies and monitor for firmware release notifications from their device vendors. Full device protection requires firmware version corresponding to or later than the patched ALPS10828685 build.
More in Mediatek Chipset
View allOut-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con
Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user
Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain
Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a
Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr
Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via
Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26891