Skip to main content

MediaTek Modem CVE-2026-20458

| EUVDEUVD-2026-40871 HIGH
Out-of-bounds Write (CWE-787)
2026-07-01 MediaTek GHSA-v5qh-c8xh-h5f9
7.5
CVSS 3.1 · Vendor: MediaTek
Share

Severity by source

Vendor (MediaTek) PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Adjacent radio vector (AV:A) with high complexity (AC:H) for the rogue-base-station precondition; no privileges or interaction needed, full high impact confined to the modem subsystem.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (MediaTek).

CVSS VectorVendor: MediaTek

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 01, 2026 - 11:23 vuln.today
CVSS changed
Jul 01, 2026 - 11:22 NVD
7.5 (HIGH)
CVE Published
Jul 01, 2026 - 03:13 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In Modem, there is a possible memory corruption due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01402160; Issue ID: MSV-7298.

AnalysisAI

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a rogue base station to corrupt modem memory via a missing bounds check (out-of-bounds write, CWE-787). Once a target UE camps on the attacker-controlled cell, exploitation requires no user interaction and no pre-existing privileges, potentially yielding privilege escalation within the modem subsystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deploy rogue base station near target
Delivery
Induce UE to camp on cell
Exploit
Send crafted radio-layer message
Execution
Trigger out-of-bounds write in modem
Persist
Corrupt baseband memory
Impact
Escalate privilege within modem

Vulnerability AssessmentAI

Exploitation Exploitation requires the target UE to connect to a rogue base station controlled by the attacker (an adjacent, radio-range position - AV:A), meaning the attacker needs cellular transmission equipment and physical proximity, and typically must lure or force the device onto the malicious cell. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (High) with vector AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H: the adjacent (radio-range) attack vector and high attack complexity are the main limiting factors, offset by no privileges and no user interaction being required, and full high impact to confidentiality, integrity, and availability of the modem. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sets up a rogue LTE/5G base station near a target and induces the victim's phone to camp on it, then transmits a crafted radio-layer message that overflows a buffer in the MediaTek modem due to the missing bounds check, corrupting modem memory to escalate privileges within the baseband without any user action. Because attack complexity is high and the vector is adjacent, this is a proximity-based, targeted attack rather than remote internet exploitation; no public POC has been identified at time of analysis.
Remediation Apply the MediaTek fix identified as Patch ID MOLY01402160 (Issue ID MSV-7298) as delivered through your device OEM's firmware/security update; this is best described as 'Patch available per vendor advisory' since the July 2026 MediaTek Product Security Bulletin (https://corp.mediatek.com/product-security-bulletin/July-2026) does not publish a single tagged firmware version number, and device availability depends on each OEM's rollout. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all organization-managed and BYOD devices using affected MediaTek chipsets (consult MDM platform and carrier networks); escalate to CISO and executive stakeholders with device impact count. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

CVE-2026-20431 MEDIUM
6.5 Apr 07

Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err

Share

CVE-2026-20458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy