Skip to main content

MediaTek Modem CVE-2026-20459

| EUVDEUVD-2026-40872 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-07-01 MediaTek GHSA-67vv-7c97-f7h6
5.3
CVSS 3.1 · Vendor: MediaTek
Share

Severity by source

Vendor (MediaTek) PRIMARY
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

Adjacent attack vector (rogue base station required nearby), high complexity (specialized radio equipment), no privileges on target, DoS-only impact.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (MediaTek).

CVSS VectorVendor: MediaTek

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 13:31 vuln.today
CVSS changed
Jul 01, 2026 - 12:22 NVD
5.9 (MEDIUM) 5.3 (MEDIUM)
CVSS changed
Jul 01, 2026 - 11:22 NVD
5.9 (MEDIUM)
CVE Published
Jul 01, 2026 - 03:14 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01816800; Issue ID: MSV-6842.

AnalysisAI

Remote denial-of-service in MediaTek modem firmware across 80+ chipset families allows an attacker operating a rogue cellular base station to crash affected devices by sending malformed input the modem fails to validate. The vulnerability (CWE-288) requires no privileges on the target device and no user interaction - a device that autonomously connects to the attacker's false base station is sufficient. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deploy rogue base station nearby
Delivery
Target device auto-attaches to false cell
Exploit
Send malformed protocol message to attached UE
Execution
Modem fails to validate input (CWE-288)
Persist
Modem process crashes
Impact
Device experiences denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target User Equipment (UE) - a smartphone, tablet, or other cellular device powered by one of the 80+ affected MediaTek chipsets - has connected to a rogue base station controlled by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a moderate-severity, adjacent-network, high-complexity attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor with access to software-defined radio (SDR) equipment deploys a rogue LTE or NR base station broadcasting a stronger signal than legitimate towers in a target's vicinity - a technique sometimes called an IMSI catcher or false base station. A target device running a vulnerable MediaTek modem autonomously attaches to this rogue cell; the attacker then transmits a specially crafted over-the-air protocol message that the modem's input validation logic fails to handle correctly, triggering a system crash and rendering the device temporarily inoperable. …
Remediation The patch for this vulnerability is identified as MOLY01816800 (Issue ID: MSV-6842), released as part of the MediaTek July 2026 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/July-2026. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

Share

CVE-2026-20459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy