Skip to main content

MediaTek WLAN Driver EUVDEUVD-2026-33545

| CVE-2026-20456 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-01 MediaTek GHSA-v8qh-hh5q-9vc3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 01, 2026 - 13:24 vuln.today
CVSS changed
Jun 01, 2026 - 13:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 03:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In wlan STA driver, there is a possible system crash due to a missing bounds check. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480851; Issue ID: MSV-6338.

AnalysisAI

Out-of-bounds write in the MediaTek WLAN STA (Station mode) driver enables local denial of service across six MediaTek Wi-Fi chipset families, confirmed by MediaTek in their June 2026 Product Security Bulletin. A low-privileged local user can crash the system without any user interaction by triggering the missing bounds check in the driver, exploiting CWE-787 memory corruption. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

The vulnerability resides in the WLAN Station (STA) mode driver for MediaTek Wi-Fi chipsets, specifically the client-mode Wi-Fi stack used when a device connects to an access point. CWE-787 (Out-of-Bounds Write) is the root cause class: a write operation proceeds beyond the allocated buffer boundary due to an absent bounds validation check, corrupting adjacent memory and triggering a system crash. This pattern is characteristic of unsafe driver ioctl handling or data path processing where input length is not validated against buffer capacity. The affected chipsets - MT7921, MT7922, MT7925, MT7927, MT7902, and MT7920 - are MediaTek Wi-Fi 6 and Wi-Fi 6E silicon widely integrated into consumer laptops (including Chromebooks and Windows platforms), Android devices, and embedded IoT endpoints. CPE: cpe:2.3:a:mediatek,_inc.:mediatek_chipset:*:*:*:*:*:*:*:*. The internal tracking IDs are Patch ID WCNCR00480851 and Issue ID MSV-6338.

RemediationAI

Apply the patch identified by MediaTek as Patch ID WCNCR00480851, distributed through the June 2026 MediaTek Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/June-2026. Because MediaTek supplies chipsets to OEM device manufacturers, end users must obtain updates through their device vendor's firmware or driver update channel - not directly from MediaTek. Monitor your device manufacturer's support pages for driver updates incorporating this patch. An exact patched driver version number is not independently confirmable from available references beyond the patch ID. As a compensating control where patching is not immediately feasible, restricting the number of local user accounts with shell or driver-level access reduces exposure on multi-user systems, though this carries usability trade-offs. Disabling Wi-Fi entirely would eliminate the attack surface at the cost of connectivity. These are temporary mitigations only; the vendor patch is the definitive fix.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

Share

EUVD-2026-33545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy