Skip to main content

MediaTek Modem EUVDEUVD-2026-40873

| CVE-2026-20460 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-07-01 MediaTek GHSA-7cqg-gq5x-qr9q
5.3
CVSS 3.1 · Vendor: MediaTek
Share

Severity by source

Vendor (MediaTek) PRIMARY
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

AV:A and AC:H reflect mandatory rogue base station proximity; C:H for meaningful modem-layer data leakage; I:N and A:N as no write or availability impact occurs.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (MediaTek).

CVSS VectorVendor: MediaTek

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 13:31 vuln.today
CVSS changed
Jul 01, 2026 - 12:22 NVD
5.9 (MEDIUM) 5.3 (MEDIUM)
CVSS changed
Jul 01, 2026 - 11:22 NVD
5.9 (MEDIUM)
CVE Published
Jul 01, 2026 - 03:14 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788.

AnalysisAI

Information disclosure in MediaTek modem firmware across 67+ chipset models enables a network-adjacent attacker operating a rogue cellular base station to extract sensitive data from a victim's User Equipment (UE) without any privileges or user interaction. The root cause is improper input validation (CWE-288) in the modem baseband stack, allowing a fake cell tower to elicit confidential data from connected devices. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deploy rogue base station near target
Delivery
Victim UE auto-associates with fake cell tower
Exploit
Send crafted malformed protocol messages to UE modem
Execution
Trigger improper input validation bypass (CWE-288)
Impact
Modem leaks sensitive data in response

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to physically operate a rogue cellular base station (fake eNodeB or gNB) within radio range of the target UE - this is the AV:A (Adjacent Network) constraint in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score reflects a careful balance of constraining factors: AV:A (Adjacent Network) requires the attacker to operate a rogue base station in physical proximity to the victim, and AC:H (High Complexity) acknowledges the non-trivial operational requirements of deploying a fake cell tower. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker deploys a portable rogue base station (software-defined radio with fake eNodeB/gNB software) in a location where the target's device is likely to be, such as a conference, border crossing, or government building. The victim's device passively connects to the rogue tower as part of normal cellular association without user awareness. …
Remediation The primary remediation is applying patch MOLY01811421 released by MediaTek, as referenced in the July 2026 Product Security Bulletin (https://corp.mediatek.com/product-security-bulletin/July-2026). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

Share

EUVD-2026-40873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy