Skip to main content

MediaTek Modem EUVDEUVD-2026-40874

| CVE-2026-20461 MEDIUM
Out-of-bounds Write (CWE-787)
2026-07-01 MediaTek GHSA-69rh-fj32-xxwg
5.3
CVSS 3.1 · Vendor: MediaTek
Share

Severity by source

Vendor (MediaTek) PRIMARY
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

AV:N reflects cellular network delivery; AC:H captures the rogue base station prerequisite; PR:N and UI:N are accurate as the modem processes signals autonomously; A:H for modem crash; C:N and I:N as no data exfiltration or integrity impact is described.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (MediaTek).

CVSS VectorVendor: MediaTek

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
CVSS changed
Jul 01, 2026 - 12:22 NVD
5.9 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Jul 01, 2026 - 11:25 vuln.today
CVSS changed
Jul 01, 2026 - 11:22 NVD
5.9 (MEDIUM)
CVE Published
Jul 01, 2026 - 03:14 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01267281 / MOLY01318201; Issue ID: MSV-6486.

AnalysisAI

Out-of-bounds write in MediaTek modem firmware allows a network-adjacent attacker controlling a rogue cellular base station to remotely crash affected User Equipment (UE), resulting in denial of service. Thirty-three distinct MediaTek chipsets - spanning flagship mobile SoCs (MT6991, MT6989, MT6985) to tablet and IoT chipsets (MT8795T, MT8893) - contain the vulnerable modem component identified under Patch IDs MOLY01267281 and MOLY01318201. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Deploy rogue cellular base station
Delivery
Lure or force nearby UE to camp on attacker cell
Exploit
Send malformed modem protocol message
Install
Trigger missing bounds check
C2
Out-of-bounds write corrupts modem memory
Execute
Modem stack crashes
Impact
UE loses all cellular connectivity

Vulnerability AssessmentAI

Exploitation Exploitation requires the target User Equipment (UE) - any mobile device containing one of the 33 listed MediaTek chipsets - to be physically connected (camped) to a rogue cellular base station under attacker control. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) accurately captures both the severity and the constraint: the High Attack Complexity reflects the real-world barrier of deploying or compromising a cellular base station, which requires significant resources and technical capability beyond a typical threat actor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to software-defined radio (SDR) equipment and cellular infrastructure knowledge deploys a rogue LTE or 5G base station - a capability within reach of nation-state actors and some organized criminal groups - and broadcasts signals strong enough to force nearby devices to camp on the attacker-controlled cell. Once a target UE attaches to the rogue base station, the attacker transmits a crafted modem protocol message containing malformed data that triggers the missing bounds check, causing an out-of-bounds write in modem memory, crashing the modem stack and rendering the device unable to make or receive cellular calls or data until rebooted. …
Remediation MediaTek has released patches under Patch IDs MOLY01267281 and MOLY01318201 (Issue ID: MSV-6486), distributed to OEM partners via the July 2026 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/July-2026. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-20433 HIGH
8.8 Apr 07

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-cont

CVE-2026-20432 HIGH
8.0 Apr 07

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment con

CVE-2026-20452 HIGH
8.0 Jun 01

Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user

CVE-2026-20455 HIGH
7.8 Jun 01

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gain

CVE-2026-20458 HIGH
7.5 Jul 01

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a

CVE-2026-20462 MEDIUM
6.7 Jul 01

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Andr

CVE-2026-20463 MEDIUM
6.7 Jul 01

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System

CVE-2026-20453 MEDIUM
6.7 Jun 01

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to

CVE-2026-20451 MEDIUM
6.7 May 04

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege esca

CVE-2026-20447 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors t

CVE-2026-20448 MEDIUM
6.7 May 04

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission check

CVE-2026-20450 MEDIUM
6.5 May 04

Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via

Share

EUVD-2026-40874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy