CVE-2026-20401
BaseFortify
Publication date: 2026-02-02
Last updated on: 2026-02-17
Assigner: MediaTek, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mediatek | nr15 | * |
| mediatek | mt2735 | * |
| mediatek | mt6833 | * |
| mediatek | mt6853 | * |
| mediatek | mt6855 | * |
| mediatek | mt6873 | * |
| mediatek | mt6875 | * |
| mediatek | mt6877 | * |
| mediatek | mt6880 | * |
| mediatek | mt6883 | * |
| mediatek | mt6885 | * |
| mediatek | mt6889 | * |
| mediatek | mt6890 | * |
| mediatek | mt6891 | * |
| mediatek | mt6893 | * |
| mediatek | mt8675 | * |
| mediatek | mt8771 | * |
| mediatek | mt8791 | * |
| mediatek | mt8791t | * |
| mediatek | mt8797 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a high-severity security issue in the modem subcomponent of various MediaTek chipsets. It involves a possible system crash caused by an uncaught exception, classified under CWE-617 (Reachable Assertion). An attacker controlling a rogue base station can trigger this crash remotely when a user equipment (UE) connects to it, without needing any additional execution privileges or user interaction. [1]
How can this vulnerability impact me? :
The vulnerability can lead to a remote denial of service (DoS) condition on affected devices. This means an attacker controlling a rogue base station can cause the device's modem to crash, potentially disrupting network connectivity and device functionality without requiring user interaction or elevated privileges. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided for this vulnerability. Since the issue involves a system crash due to an uncaught exception when a UE connects to a rogue base station, monitoring for unexpected modem crashes or abnormal behavior in the affected MediaTek chipsets could be indicative. However, no explicit detection commands or network indicators are detailed. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the security patch identified as MOLY01738310 provided by MediaTek. Device OEMs have been notified and provided with security patches prior to the public release. Ensuring that your devices are updated with the latest firmware containing this patch will mitigate the vulnerability. Additionally, avoid connecting to untrusted or rogue base stations to reduce risk. [1]