MediaTek Security Update – Patch for Multiple Vulnerabilities Across Chipsets

Cybersecurity

MediaTek has released a critical security bulletin addressing multiple vulnerabilities in its modem chipsets. Device OEMs are advised to implement updates without delay.

The bulletin, released two months following confidential notification to OEMs, confirms no known exploits have been detected in the wild.

Key Highlights

• MediaTek has patched high- and medium-severity vulnerabilities in modem and firmware components across over 60 chipsets.
• OEMs received fixes in July. It is crucial to update Modem NR and BSP now.
• No exploitation has been observed.

High-Severity Out-of-Bounds Vulnerabilities

Three high-severity vulnerabilities, rated under the Common Vulnerability Scoring System version 3.1 (CVSS v3.1), affect the Modem firmware on numerous MediaTek chipsets.

CVE-2025-20708: This out-of-bounds write vulnerability (CWE-787) in the Modem’s buffer validation allows remote privilege escalation when a user equipment connects to a rogue base station. No user interaction is required to exploit the vulnerability. Affected chipsets include MT6813, MT6833, MT6855, MT8873, MT8893, and over 60 additional models running Modem NR15–NR17R software versions.

CVE-2025-20703: An out-of-bounds read vulnerability (CWE-125) in the Modem component can cause remote denial-of-service under similar conditions without user interaction. Impacted chipsets include MT2735, MT6789, MT6893, MT8678, MT8791T, MT8883, among others, all using NR15–NR17R releases.

CVE-2025-20704: Another out-of-bounds write vulnerability (CWE-787) due to a missing bounds check can lead to remote privilege escalation but requires user interaction for exploitation. This flaw targets specific chipsets: MT6835T, MT6899, MT6991, MT8676, MT8792, and others running Modem NR17 and NR17R builds.

Medium-Severity Memory Corruption Vulnerabilities

Three medium-severity use-after-free vulnerabilities (CWE-416) are identified in the monitor_hang, mbrain, and geniezone modules of the chipset firmware:

CVE-2025-20705 (monitor_hang uaf): This use-after-free issue can enable local privilege escalation for attackers with existing System privileges. A wide range of chipsets from MT2718 to MT8796 across Android 13–16, OpenWRT 19.07/21.02, and Yocto 2.6 releases are affected.

CVE-2025-20706 (mbrain uaf): Similar memory corruption in the mbrain task scheduler on MT6899, MT6989, MT6991, MT8676, and MT8678 running Android 14–15 may result in local code execution.

CVE-2025-20707 (geniezone uaf): A vulnerability in the geniezone service can cause memory corruption under local privilege conditions on MT2718, MT6853, MT8792, MT8883, and other models across Android 13–15.

These vulnerabilities, except for CVE-2025-20704, were discovered through external security research. The identified vulnerabilities have been communicated to OEM partners since July, with final firmware updates incorporating these fixes now being rolled out. MediaTek advises integrators to upgrade Modem NR and Android BSP versions to mitigate risks.