Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AV:A and AC:H reflect mandatory rogue base station proximity; C:H for meaningful modem-layer data leakage; I:N and A:N as no write or availability impact occurs.
Primary rating from Vendor (MediaTek).
CVSS VectorVendor: MediaTek
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788.
AnalysisAI
Information disclosure in MediaTek modem firmware across 67+ chipset models enables a network-adjacent attacker operating a rogue cellular base station to extract sensitive data from a victim's User Equipment (UE) without any privileges or user interaction. The root cause is improper input validation (CWE-288) in the modem baseband stack, allowing a fake cell tower to elicit confidential data from connected devices. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to physically operate a rogue cellular base station (fake eNodeB or gNB) within radio range of the target UE - this is the AV:A (Adjacent Network) constraint in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score reflects a careful balance of constraining factors: AV:A (Adjacent Network) requires the attacker to operate a rogue base station in physical proximity to the victim, and AC:H (High Complexity) acknowledges the non-trivial operational requirements of deploying a fake cell tower. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker deploys a portable rogue base station (software-defined radio with fake eNodeB/gNB software) in a location where the target's device is likely to be, such as a conference, border crossing, or government building. The victim's device passively connects to the rogue tower as part of normal cellular association without user awareness. … |
| Remediation | The primary remediation is applying patch MOLY01811421 released by MediaTek, as referenced in the July 2026 Product Security Bulletin (https://corp.mediatek.com/product-security-bulletin/July-2026). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mediatek Chipset
View allOut-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con
Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user
Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain
Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a
Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr
Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40873
GHSA-7cqg-gq5x-qr9q