Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In geniezone, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10724073; Issue ID: MSV-6296.
AnalysisAI
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors to achieve total system compromise across multiple chipset models. The vulnerability requires prior System-level access and affects 17 MediaTek chipset variants (MT6899, MT8791T, MT8786, MT6789, MT8367, MT6768, MT8766, MT6993, MT6991, MT6877, MT8788E, MT8781, MT8768, MT6989, MT8910, MT8196, MT8793). No public exploit code identified at time of analysis; exploitation remains unconfirmed in active systems despite SSVC indicating total technical impact potential.
Technical ContextAI
The vulnerability exists in geniezone, MediaTek's secure execution environment (TEE) or privileged system component, where a buffer overflow due to missing bounds checking (CWE-125) allows privilege escalation. The affected products span multiple generations of MediaTek mobile system-on-chip (SoC) architectures used in smartphones, tablets, and embedded devices. The CPE indicates the vulnerability affects the chipset firmware/driver layer where geniezone operates with high privilege levels. The missing bounds check on a buffer operation permits an already-privileged actor to write beyond allocated memory, potentially corrupting critical data structures or injecting code that maintains or extends privilege levels.
RemediationAI
Vendors (OEMs and device manufacturers) must apply MediaTek's patch identified as ALPS10724073 (Issue MSV-6296) released in the May 2026 product security bulletin available at https://corp.mediatek.com/product-security-bulletin/May-2026. End users should install firmware updates for affected devices as released by their device manufacturer (Samsung, Oppo, Vivo, Xiaomi, etc.) incorporating the patched chipset firmware. For devices unable to receive timely patches, restrict System-level application installation to trusted sources only and monitor for suspicious privilege escalation attempts, though these mitigations are weak and compensate only partially for the underlying code defect. The low EPSS score and 'Automatable: no' SSVC rating suggest that while patches should be deployed during normal maintenance windows, this is not a critical emergency patch that justifies disrupting operations for out-of-cycle deployment on most networks.
More in Mediatek Chipset
View allOut-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con
Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user
Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain
Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a
Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr
Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via
Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic err
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26885