Skip to main content

MediaTek GenieZone CVE-2026-20454

| EUVDEUVD-2026-33543 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-01 MediaTek GHSA-fr72-6536-5mwp
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 01, 2026 - 13:22 vuln.today
CVSS changed
Jun 01, 2026 - 13:22 NVD
6.4 (MEDIUM)
CVE Published
Jun 01, 2026 - 03:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In geniezone, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10873936; Issue ID: MSV-6786.

AnalysisAI

Local privilege escalation in MediaTek's GenieZone hypervisor component affects 36 distinct chipsets via a race condition-induced out-of-bounds write. An attacker who has already obtained System-level privilege on an affected Android device can exploit the TOCTOU flaw to escalate further - likely to kernel or hypervisor-level execution - achieving full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and no KEV listing exists; however, the wide chipset footprint spanning flagship to budget SoCs significantly broadens the potential attack surface.

Technical ContextAI

GenieZone is MediaTek's hardware-assisted virtualization and Trusted Execution Environment (TEE) hypervisor framework embedded in its SoC family. The vulnerability is classified as CWE-367 (Time-of-Check Time-of-Use / TOCTOU race condition), meaning a shared resource is checked and then used in separate, non-atomic operations, creating a window for a concurrent thread or process to alter the resource between those two operations. The result is an out-of-bounds write - memory beyond an intended buffer boundary is overwritten - which in a hypervisor context can corrupt control structures, page tables, or execution state. The affected CPE is cpe:2.3:a:mediatek,_inc.:mediatek_chipset across a broad range of SoC models spanning Android flagship, mid-range, and budget segments. The high attack complexity (AC:H) directly reflects the probabilistic nature of winning a race condition, which requires precise timing or repeated attempts.

RemediationAI

The vendor-supplied patch is identified by Patch ID ALPS10873936 (Issue ID MSV-6786) and is documented in the MediaTek Product Security Bulletin for June 2026 at https://corp.mediatek.com/product-security-bulletin/June-2026. OEM and ODM device manufacturers must integrate this patch into their Android security update pipelines and push OTA updates to affected devices. End users should apply the latest available security patch level for their device as soon as it is released by their device manufacturer. Because the vulnerability requires System-level privilege as a prerequisite, compensating controls that limit the ability to obtain System privilege - such as enforcing SELinux enforcing mode, restricting sideloading of privileged applications, and applying Android's verified boot - will materially reduce exploitation risk in the absence of a device-specific OTA patch. Disabling developer options and ADB on production devices removes additional privilege escalation pathways that could feed this attack. Note that SELinux policies alone do not patch the race condition but do reduce the probability that an attacker can reach System privilege in the first place.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

Share

CVE-2026-20454 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy