Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated, no-interaction IMS signaling triggers an out-of-bounds read causing a crash, so PR:N/UI:N with availability-only impact (A:H, C:N, I:N).
Primary rating from Vendor (Unisoc).
CVSS VectorVendor: Unisoc
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
In IMS, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed.
AnalysisAI
Remote denial of service in the IMS (IP Multimedia Subsystem) implementation of Unisoc mobile chipsets allows an unauthenticated remote attacker to crash the affected component via an out-of-bounds read triggered by a missing bounds check. The flaw spans a broad range of Unisoc SoCs (SC7731E, SC9832E, SC9863A, T310/T610/T618, T7200-series, T8100/T8200/T8300, T9100) commonly used in budget Android smartphones. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to deliver malformed IMS (IP Multimedia Subsystem) signaling to the device's Unisoc chipset - the target must have IMS/VoLTE/VoWiFi active and reachable via the signaling path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) rates this as network-reachable, low-complexity, unauthenticated, with high availability impact and no confidentiality or integrity impact - consistent with a pure DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker able to send crafted IMS signaling to a target device - for example via a malicious SIP/IMS peer or a rogue base station on the operator path - transmits a malformed message that triggers the missing bounds check. The IMS component reads out of bounds and crashes, disrupting VoLTE/VoWiFi and telephony services on the affected Unisoc-powered handset. … |
| Remediation | Apply the fix distributed through the Unisoc Product Security Bulletin (https://www.unisoc.com/en/support/product-security-bulletin/2072920457676509185) as delivered by your device OEM's firmware/security update for the affected chipset; because no exact patched build version is provided in the source data, treat this as patch available per vendor advisory and confirm the specific baseband/firmware version with the OEM. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all devices using affected Unisoc SoCs (SC7731E, SC9832E, SC9863A, T310, T610, T618, T7200-series, T8100, T8200, T8300, T9100) in your infrastructure and assess their role in critical systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Sc7731E Sc9832E Sc9863A T310 T610 T618 T7200 T7225 T7250 T7255 T7280 T7300 T8100 T9100 T8200 T8300
View allRemote attackers can crash Unisoc chipset IMS (IP Multimedia Subsystem) implementations through network-accessible malfo
Remote denial of service in Unisoc modem IMS implementation across 16 chipset families (SC7731E through T8300) allows un
Remote denial of service in Unisoc modem IMS (IP Multimedia Subsystem) implementation allows unauthenticated network att
Remote denial of service in Unisoc modem IMS stack allows network attackers to crash affected devices through malformed
Remote denial of service in Unisoc Modem IMS stack allows unauthenticated network attackers to crash mobile devices thro
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41496
GHSA-5fx8-7mc9-6rhf