Skip to main content

MediaTek WLAN AP Driver CVE-2026-20452

| EUVDEUVD-2026-33541 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-01 MediaTek GHSA-mfvp-3qw7-v5gw
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 01, 2026 - 13:22 vuln.today
CVSS changed
Jun 01, 2026 - 13:22 NVD
8.0 (HIGH)
CVE Published
Jun 01, 2026 - 03:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In wlan AP driver, there is a possible memory corruption due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480138; Issue ID: MSV-6295.

AnalysisAI

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user execution to corrupt memory and achieve remote code execution without user interaction. The flaw affects multiple MediaTek Wi-Fi chipsets commonly embedded in routers and access points (MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993, MT6890). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the wireless LAN access point (AP) driver shipped with MediaTek chipsets, which implements 802.11 frame processing on the AP side. CWE-122 (Heap-Based Buffer Overflow) indicates the driver fails to validate the size of attacker-influenced data before copying it into a heap allocation, corrupting adjacent heap metadata or function pointers. Because the driver runs in privileged firmware/kernel context on the chipset, memory corruption is leveraged for arbitrary code execution. The CPE entry (cpe:2.3:a:mediatek,_inc.:mediatek_chipset) is generic, but the EUVD enumerates the specific chipset models - MT7615/7915/7916/7981/7986/7990/7992/7993 and MT6890 - which are widely deployed in consumer and enterprise Wi-Fi 5/6/7 routers, mesh systems, and OEM AP platforms.

RemediationAI

Apply the patch referenced by MediaTek as Patch ID WCNCR00480138 (Issue ID MSV-6295) per the June 2026 MediaTek Product Security Bulletin (https://corp.mediatek.com/product-security-bulletin/June-2026); because MediaTek delivers fixes through downstream OEMs, contact your AP/router vendor (e.g., ASUS, Netgear, TP-Link, Ubiquiti, Zyxel, and OpenWrt-based device vendors using these chipsets) for the corresponding firmware update - patch available per vendor advisory, but no single fix version is published upstream. If patched firmware is not yet available, compensating controls include restricting Wi-Fi access via WPA3 or strong WPA2-Enterprise authentication to limit who can become an adjacent attacker, disabling guest/open SSIDs on affected APs, isolating affected AP management interfaces on a dedicated VLAN, and reducing radio range or relocating APs away from public space - trade-offs include reduced coverage and inconvenience for legitimate guest users, and none of these controls fully eliminate the risk from an authorized but malicious station.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

CVE-2026-20431 MEDIUM
6.5 Apr 07

Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err

Share

CVE-2026-20452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy