Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
In geniezone, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10886526; Issue ID: MSV-6791.
AnalysisAI
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to flagship tiers. An attacker who has already achieved System-level privilege can trigger an out-of-bounds write caused by a missing bounds check, escalating further - likely into kernel or hypervisor trust boundaries - with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog; however, the post-compromise escalation path makes this relevant to threat actors performing multi-stage device compromise on Android-based MediaTek hardware.
Technical ContextAI
geniezone is MediaTek's hypervisor-based security component - a Trusted Execution Environment (TEE) isolation layer implemented on top of the ARM virtualization extensions present in MediaTek SoCs. CWE-787 (Out-of-bounds Write) indicates a write operation proceeds beyond allocated memory boundaries due to the absence of an input bounds check, which in a hypervisor context can corrupt adjacent memory structures including privilege control tables or kernel data. The CPE (cpe:2.3:a:mediatek,_inc.:mediatek_chipset:*:*:*:*:*:*:*:*) applies broadly across the MediaTek chipset portfolio, and the EUVD enumerates 36 specific affected SoCs including MT6761, MT6765, MT6853, MT6885, MT6889, MT6983, MT6991, MT8910, and MT8797, spanning IoT, mid-range, and premium Android device segments. The Patch ID ALPS10886526 and Issue ID MSV-6791 are MediaTek's internal tracking identifiers for this fix.
RemediationAI
The primary fix is Patch ID ALPS10886526, documented in MediaTek's June 2026 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/June-2026. MediaTek distributes security patches to OEM device manufacturers, who must then integrate and ship firmware updates to end users - meaning the timeline for end-user availability depends on each OEM's patch cycle. Users and enterprise device managers should monitor their device OEM's security update channels for June 2026 or later security patch level updates. As a compensating control where patching is delayed, restricting the installation of applications that request or exploit System-level permissions reduces the exploitability surface; however, this does not eliminate risk from pre-existing System-privilege malware. No version number for a patched firmware release was independently confirmed in available source data beyond the internal patch identifier.
More in Mediatek Chipset
View allOut-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con
Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user
Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain
Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a
Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr
Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via
Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33542
GHSA-xrxv-qpfw-72fv