Skip to main content

MediaTek Telephony CVE-2026-20462

| EUVDEUVD-2026-40875 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-07-01 MediaTek GHSA-39rh-f5c6-gchq
6.7
CVSS 3.1 · Vendor: MediaTek
Share

Severity by source

Vendor (MediaTek) PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.7 MEDIUM

System-level privilege is an explicit, confirmed prerequisite (PR:H); exploitation is local-only (AV:L); once conditions are met, AC:L and full C/I/A impact are consistent with a heap overflow yielding arbitrary code execution.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (MediaTek).

CVSS VectorVendor: MediaTek

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 01, 2026 - 11:26 vuln.today
CVSS changed
Jul 01, 2026 - 11:22 NVD
6.7 (MEDIUM)
CVE Published
Jul 01, 2026 - 03:14 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In Telephony, there is a possible memory corruption due to a heap buffer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS11006447; Issue ID: MSV-7871.

AnalysisAI

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Android devices, delivering full confidentiality, integrity, and availability impact. Twenty-two specific MediaTek SoC variants are confirmed affected, spanning the MT6xxx and MT8xxx mid-range and budget families. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain initial device foothold
Delivery
Escalate to System privilege via separate exploit
Exploit
Craft malicious Telephony subsystem input
Install
Trigger heap buffer overflow
C2
Corrupt adjacent heap memory structures
Execute
Redirect execution flow to attacker-controlled code
Impact
Achieve privilege escalation beyond System level

Vulnerability AssessmentAI

Exploitation Exploitation explicitly requires that the attacker has already obtained System-level privilege on the target Android device - this is stated directly in the CVE description ('if a malicious actor has already obtained the System privilege') and is reflected in the CVSS PR:H metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.7 (Medium) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H accurately characterises the threat: while the potential impact is severe (full C/I/A compromise), the PR:H prerequisite - requiring the attacker to already hold System-level privilege - is the dominant risk limiter. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already compromised an affected MediaTek-powered Android device and obtained System-level privilege - for example, through a malicious pre-installed application or a prior local privilege escalation exploit targeting a separate vulnerability - delivers specially crafted input to the Telephony subsystem, triggering the heap buffer overflow and corrupting adjacent heap structures. With AC:L once the privilege threshold is met, the attacker leverages the memory corruption to overwrite a function pointer or similar control-flow structure within the Telephony process, redirecting execution to attacker-controlled code at a higher privilege tier. …
Remediation The primary remediation is to apply the vendor-released patch identified as ALPS11006447 (Issue ID: MSV-7871), distributed through MediaTek's July 2026 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/July-2026. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

CVE-2026-20431 MEDIUM
6.5 Apr 07

Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err

Share

CVE-2026-20462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy