Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
In geniezone, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10873936; Issue ID: MSV-6784.
AnalysisAI
Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gained System-level privileges on an affected device to write out-of-bounds memory and escalate further on the chipset. The flaw affects a broad range of MediaTek chipsets used in mobile and embedded devices, with no public exploit identified at time of analysis. CVSS is 7.8 (High) reflecting the high integrity, confidentiality, and availability impact despite the local attack vector.
Technical ContextAI
GenieZone is MediaTek's proprietary Trusted Execution Environment (TEE) hypervisor, isolating sensitive workloads (DRM, key storage, biometrics) from the Android Rich Execution Environment. The root cause is CWE-787 (Out-of-bounds Write) caused by a missing bounds check in a GenieZone code path reachable from a privileged caller. Because GenieZone runs at a higher privilege boundary than the Android OS, corrupting its memory can break the security guarantees the TEE provides to the rest of the system. The affected CPE is cpe:2.3:a:mediatek,_inc.:mediatek_chipset, spanning dozens of MT6xxx/MT8xxx SoCs (e.g. MT6991, MT8798, MT6989) used in Android phones and tablets.
RemediationAI
Apply the MediaTek-supplied fix tracked as Patch ID ALPS10873936 (Issue ID MSV-6784) as integrated by your device OEM in the June 2026 Android security level or later vendor firmware update - see https://corp.mediatek.com/product-security-bulletin/June-2026. Because TEE fixes ship through the device manufacturer's firmware/OTA pipeline rather than directly from MediaTek, end users and fleet operators should track their OEM's security bulletin (Samsung, Xiaomi, Oppo, etc.) and force-install the corresponding monthly patch. As a compensating control until firmware is available, restrict the ability of apps to attain System privilege by enforcing strict MDM-controlled app allow-listing, disabling sideloading, and removing unnecessary privileged system apps; note this only reduces the attack surface that could reach the GenieZone interface and does not remove the vulnerability itself.
More in Mediatek Chipset
View allOut-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con
Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user
Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a
Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr
Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via
Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33544
GHSA-jf3x-c8h2-5gjj