Mediatek Chipset
Monthly
Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System-level access to bypass permission enforcement (CWE-280) and escalate further within the device. The vulnerability is confirmed by MediaTek in their July 2026 Product Security Bulletin (Patch ID: MOLY01716533, Issue ID: MSV-6309) and affects a broad swath of chipsets spanning low-end to flagship tiers. No user interaction is required for exploitation, but the prerequisite of System-level access significantly constrains the realistic attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis.
Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Android devices, delivering full confidentiality, integrity, and availability impact. Twenty-two specific MediaTek SoC variants are confirmed affected, spanning the MT6xxx and MT8xxx mid-range and budget families. No public exploit has been identified at time of analysis; MediaTek has issued patch ALPS11006447 via their July 2026 security bulletin, but exploitation requires a pre-existing System-level privilege on the device, making this a chaining vulnerability rather than a standalone entry vector.
Out-of-bounds write in MediaTek modem firmware allows a network-adjacent attacker controlling a rogue cellular base station to remotely crash affected User Equipment (UE), resulting in denial of service. Thirty-three distinct MediaTek chipsets - spanning flagship mobile SoCs (MT6991, MT6989, MT6985) to tablet and IoT chipsets (MT8795T, MT8893) - contain the vulnerable modem component identified under Patch IDs MOLY01267281 and MOLY01318201. No public exploit code has been identified at time of analysis, and the attack is non-trivial due to the requirement for attacker-controlled cellular infrastructure, but the sheer deployment scale of affected chipsets across Android devices makes the aggregate exposure significant.
Information disclosure in MediaTek modem firmware across 67+ chipset models enables a network-adjacent attacker operating a rogue cellular base station to extract sensitive data from a victim's User Equipment (UE) without any privileges or user interaction. The root cause is improper input validation (CWE-288) in the modem baseband stack, allowing a fake cell tower to elicit confidential data from connected devices. No active exploitation has been confirmed by CISA KEV, and SSVC assessment rates exploitation as 'none' at time of analysis, though the architecture of the attack closely resembles IMSI-catcher and stingray-type tradecraft used in targeted surveillance operations.
Remote denial-of-service in MediaTek modem firmware across 80+ chipset families allows an attacker operating a rogue cellular base station to crash affected devices by sending malformed input the modem fails to validate. The vulnerability (CWE-288) requires no privileges on the target device and no user interaction - a device that autonomously connects to the attacker's false base station is sufficient. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation status as none, though the widespread chipset deployment across Android handsets and IoT hardware makes the affected attack surface extremely broad.
Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a rogue base station to corrupt modem memory via a missing bounds check (out-of-bounds write, CWE-787). Once a target UE camps on the attacker-controlled cell, exploitation requires no user interaction and no pre-existing privileges, potentially yielding privilege escalation within the modem subsystem. Tracked in MediaTek's July 2026 Product Security Bulletin (Patch ID MOLY01402160); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote denial of service in the MediaTek Modem firmware component affects approximately 60 chipset models via a null pointer dereference triggered when a target device connects to a rogue cellular base station. An attacker controlling a fake eNodeB or gNodeB can transmit crafted modem protocol messages that cause improper input validation to fail, crashing the modem and stripping affected devices of cellular connectivity. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation status as none, indicating this remains a theoretical but technically feasible threat for well-resourced actors.
Out-of-bounds write in the MediaTek WLAN STA (Station mode) driver enables local denial of service across six MediaTek Wi-Fi chipset families, confirmed by MediaTek in their June 2026 Product Security Bulletin. A low-privileged local user can crash the system without any user interaction by triggering the missing bounds check in the driver, exploiting CWE-787 memory corruption. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gained System-level privileges on an affected device to write out-of-bounds memory and escalate further on the chipset. The flaw affects a broad range of MediaTek chipsets used in mobile and embedded devices, with no public exploit identified at time of analysis. CVSS is 7.8 (High) reflecting the high integrity, confidentiality, and availability impact despite the local attack vector.
Local privilege escalation in MediaTek's GenieZone hypervisor component affects 36 distinct chipsets via a race condition-induced out-of-bounds write. An attacker who has already obtained System-level privilege on an affected Android device can exploit the TOCTOU flaw to escalate further - likely to kernel or hypervisor-level execution - achieving full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and no KEV listing exists; however, the wide chipset footprint spanning flagship to budget SoCs significantly broadens the potential attack surface.
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to flagship tiers. An attacker who has already achieved System-level privilege can trigger an out-of-bounds write caused by a missing bounds check, escalating further - likely into kernel or hypervisor trust boundaries - with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog; however, the post-compromise escalation path makes this relevant to threat actors performing multi-stage device compromise on Android-based MediaTek hardware.
Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user execution to corrupt memory and achieve remote code execution without user interaction. The flaw affects multiple MediaTek Wi-Fi chipsets commonly embedded in routers and access points (MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993, MT6890). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege escalation to full system compromise when an attacker already holds System privilege. The vulnerability requires no user interaction and affects 32 MediaTek chipset models. CISA SSVC framework rates technical impact as total; however, EPSS score of 0.02% suggests limited real-world exploitation despite the high CVSS score of 6.7, likely due to the requirement for pre-existing System privilege.
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via incorrect error handling when a user equipment device connects to a rogue base station, requiring no authentication or user interaction. The vulnerability affects a broad range of MediaTek cellular chipsets (MT6855, MT6985, MT8793, and others) and carries a CVSS 6.5 score reflecting network-adjacent attack vector and high availability impact. Patch MSV-6100 / MOLY01753620 is available from MediaTek.
Heap buffer overflow in MediaTek modem firmware allows remote denial of service when a device connects to an attacker-controlled base station. The vulnerability affects a wide range of MediaTek chipsets and can crash the modem without requiring user interaction or special privileges. No public exploit code has been identified, and CISA has not listed this in the Known Exploited Vulnerabilities catalog, though the low EPSS score (0.07%) suggests limited real-world exploitation likelihood despite the attack vector requiring only adjacent network access.
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission checks in geniezone allows attackers with System privilege to escalate their access without user interaction. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but EPSS score of 0.02% (4th percentile) and SSVC 'none' exploitation status indicate this vulnerability has not been observed in active, widespread exploitation despite the low barrier to exploitation from privileged context.
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors to achieve total system compromise across multiple chipset models. The vulnerability requires prior System-level access and affects 17 MediaTek chipset variants (MT6899, MT8791T, MT8786, MT6789, MT8367, MT6768, MT8766, MT6993, MT6991, MT6877, MT8788E, MT8781, MT8768, MT6989, MT8910, MT8196, MT8793). No public exploit code identified at time of analysis; exploitation remains unconfirmed in active systems despite SSVC indicating total technical impact potential.
Integer overflow in MediaTek secure boot (sec boot) leads to out-of-bounds write causing local denial of service on affected MediaTek chipsets. Attack requires physical device access and local user execution privileges, with no user interaction needed. EPSS score of 0.02% and CISA SSVC assessment of 'none' exploitation status indicate low real-world risk despite the moderate CVSS base score of 4.3.
Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack s
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.
Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic error when connecting to a rogue base station. The vulnerability affects 19 MediaTek chipset models (MT8678, MT6899, MT6897, and others) with no authentication or user interaction required. EPSS score of 0.08% (24th percentile) and CISA SSVC framework rating of no confirmed exploitation and partial technical impact suggest this is a low real-world priority despite the moderate CVSS 6.5 score.
Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System-level access to bypass permission enforcement (CWE-280) and escalate further within the device. The vulnerability is confirmed by MediaTek in their July 2026 Product Security Bulletin (Patch ID: MOLY01716533, Issue ID: MSV-6309) and affects a broad swath of chipsets spanning low-end to flagship tiers. No user interaction is required for exploitation, but the prerequisite of System-level access significantly constrains the realistic attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis.
Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Android devices, delivering full confidentiality, integrity, and availability impact. Twenty-two specific MediaTek SoC variants are confirmed affected, spanning the MT6xxx and MT8xxx mid-range and budget families. No public exploit has been identified at time of analysis; MediaTek has issued patch ALPS11006447 via their July 2026 security bulletin, but exploitation requires a pre-existing System-level privilege on the device, making this a chaining vulnerability rather than a standalone entry vector.
Out-of-bounds write in MediaTek modem firmware allows a network-adjacent attacker controlling a rogue cellular base station to remotely crash affected User Equipment (UE), resulting in denial of service. Thirty-three distinct MediaTek chipsets - spanning flagship mobile SoCs (MT6991, MT6989, MT6985) to tablet and IoT chipsets (MT8795T, MT8893) - contain the vulnerable modem component identified under Patch IDs MOLY01267281 and MOLY01318201. No public exploit code has been identified at time of analysis, and the attack is non-trivial due to the requirement for attacker-controlled cellular infrastructure, but the sheer deployment scale of affected chipsets across Android devices makes the aggregate exposure significant.
Information disclosure in MediaTek modem firmware across 67+ chipset models enables a network-adjacent attacker operating a rogue cellular base station to extract sensitive data from a victim's User Equipment (UE) without any privileges or user interaction. The root cause is improper input validation (CWE-288) in the modem baseband stack, allowing a fake cell tower to elicit confidential data from connected devices. No active exploitation has been confirmed by CISA KEV, and SSVC assessment rates exploitation as 'none' at time of analysis, though the architecture of the attack closely resembles IMSI-catcher and stingray-type tradecraft used in targeted surveillance operations.
Remote denial-of-service in MediaTek modem firmware across 80+ chipset families allows an attacker operating a rogue cellular base station to crash affected devices by sending malformed input the modem fails to validate. The vulnerability (CWE-288) requires no privileges on the target device and no user interaction - a device that autonomously connects to the attacker's false base station is sufficient. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation status as none, though the widespread chipset deployment across Android handsets and IoT hardware makes the affected attack surface extremely broad.
Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a rogue base station to corrupt modem memory via a missing bounds check (out-of-bounds write, CWE-787). Once a target UE camps on the attacker-controlled cell, exploitation requires no user interaction and no pre-existing privileges, potentially yielding privilege escalation within the modem subsystem. Tracked in MediaTek's July 2026 Product Security Bulletin (Patch ID MOLY01402160); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote denial of service in the MediaTek Modem firmware component affects approximately 60 chipset models via a null pointer dereference triggered when a target device connects to a rogue cellular base station. An attacker controlling a fake eNodeB or gNodeB can transmit crafted modem protocol messages that cause improper input validation to fail, crashing the modem and stripping affected devices of cellular connectivity. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation status as none, indicating this remains a theoretical but technically feasible threat for well-resourced actors.
Out-of-bounds write in the MediaTek WLAN STA (Station mode) driver enables local denial of service across six MediaTek Wi-Fi chipset families, confirmed by MediaTek in their June 2026 Product Security Bulletin. A low-privileged local user can crash the system without any user interaction by triggering the missing bounds check in the driver, exploiting CWE-787 memory corruption. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gained System-level privileges on an affected device to write out-of-bounds memory and escalate further on the chipset. The flaw affects a broad range of MediaTek chipsets used in mobile and embedded devices, with no public exploit identified at time of analysis. CVSS is 7.8 (High) reflecting the high integrity, confidentiality, and availability impact despite the local attack vector.
Local privilege escalation in MediaTek's GenieZone hypervisor component affects 36 distinct chipsets via a race condition-induced out-of-bounds write. An attacker who has already obtained System-level privilege on an affected Android device can exploit the TOCTOU flaw to escalate further - likely to kernel or hypervisor-level execution - achieving full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and no KEV listing exists; however, the wide chipset footprint spanning flagship to budget SoCs significantly broadens the potential attack surface.
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to flagship tiers. An attacker who has already achieved System-level privilege can trigger an out-of-bounds write caused by a missing bounds check, escalating further - likely into kernel or hypervisor trust boundaries - with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog; however, the post-compromise escalation path makes this relevant to threat actors performing multi-stage device compromise on Android-based MediaTek hardware.
Heap buffer overflow in the MediaTek WLAN access point driver allows adjacent-network attackers with low-privilege user execution to corrupt memory and achieve remote code execution without user interaction. The flaw affects multiple MediaTek Wi-Fi chipsets commonly embedded in routers and access points (MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993, MT6890). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege escalation to full system compromise when an attacker already holds System privilege. The vulnerability requires no user interaction and affects 32 MediaTek chipset models. CISA SSVC framework rates technical impact as total; however, EPSS score of 0.02% suggests limited real-world exploitation despite the high CVSS score of 6.7, likely due to the requirement for pre-existing System privilege.
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via incorrect error handling when a user equipment device connects to a rogue base station, requiring no authentication or user interaction. The vulnerability affects a broad range of MediaTek cellular chipsets (MT6855, MT6985, MT8793, and others) and carries a CVSS 6.5 score reflecting network-adjacent attack vector and high availability impact. Patch MSV-6100 / MOLY01753620 is available from MediaTek.
Heap buffer overflow in MediaTek modem firmware allows remote denial of service when a device connects to an attacker-controlled base station. The vulnerability affects a wide range of MediaTek chipsets and can crash the modem without requiring user interaction or special privileges. No public exploit code has been identified, and CISA has not listed this in the Known Exploited Vulnerabilities catalog, though the low EPSS score (0.07%) suggests limited real-world exploitation likelihood despite the attack vector requiring only adjacent network access.
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission checks in geniezone allows attackers with System privilege to escalate their access without user interaction. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but EPSS score of 0.02% (4th percentile) and SSVC 'none' exploitation status indicate this vulnerability has not been observed in active, widespread exploitation despite the low barrier to exploitation from privileged context.
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors to achieve total system compromise across multiple chipset models. The vulnerability requires prior System-level access and affects 17 MediaTek chipset variants (MT6899, MT8791T, MT8786, MT6789, MT8367, MT6768, MT8766, MT6993, MT6991, MT6877, MT8788E, MT8781, MT8768, MT6989, MT8910, MT8196, MT8793). No public exploit code identified at time of analysis; exploitation remains unconfirmed in active systems despite SSVC indicating total technical impact potential.
Integer overflow in MediaTek secure boot (sec boot) leads to out-of-bounds write causing local denial of service on affected MediaTek chipsets. Attack requires physical device access and local user execution privileges, with no user interaction needed. EPSS score of 0.02% and CISA SSVC assessment of 'none' exploitation status indicate low real-world risk despite the moderate CVSS base score of 4.3.
Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack s
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.
Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic error when connecting to a rogue base station. The vulnerability affects 19 MediaTek chipset models (MT8678, MT6899, MT6897, and others) with no authentication or user interaction required. EPSS score of 0.08% (24th percentile) and CISA SSVC framework rating of no confirmed exploitation and partial technical impact suggest this is a low real-world priority despite the moderate CVSS 6.5 score.