MediaTek today published a critical security bulletin addressing several vulnerabilities across its latest modem chipsets, urging device OEMs to deploy updates immediately.
The bulletin, issued two months after confidential OEM notification, confirms that no known in-the-wild exploits have been detected to date.
Key Takeaways
1. MediaTek patched high- and medium-severity modem and firmware bugs across 60+ chipsets.
2. OEMs received fixes in July; update Modem NR and BSP now.
3. No exploitation detected.
High-Severity Out-of-Bounds Flaws
Three high-severity Common Vulnerability Scoring System version 3.1 (CVSS v3.1)–rated flaws affect the Modem firmware on dozens of MediaTek chipsets.
CVE-2025-20708: An out-of-bounds write (CWE-787) in the Modem’s buffer‐validation logic permits remote privilege escalation when a user equipment (UE) connects to a rogue base station.
No user interaction is required to trigger the vulnerability. Affected chipsets include MT6813, MT6833, MT6855, MT8873, MT8893, and over 60 more models running Modem NR15–NR17R software versions.
CVE-2025-20703: An out-of-bounds read (CWE-125) in the same Modem component allows remote denial-of-service under similar conditions and with no user interaction.
Impacted silicon spans MT2735, MT6789, MT6893, MT8678, MT8791T, MT8883, among others, all on NR15–NR17R releases.
CVE-2025-20704: A second out-of-bounds write (CWE-787) stemming from a missing bounds check can also yield remote privilege escalation, though user interaction is required for exploitation.
The flaw targets a subset of chipsets—MT6835T, MT6899, MT6991, MT8676, MT8792, and a dozen more—running Modem NR17 and NR17R builds.
Medium-Severity Memory Corruption Flaws
Three medium-severity use-after-free bugs (CWE-416) reside in the monitor_hang, mbrain, and geniezone modules of the chipset firmware:
CVE-2025-20705 (“monitor_hang uaf”): A use-after-free error could enable local privilege escalation for attackers who already possess System privileges.
A broad range of chipsets from MT2718 to MT8796 across Android 13–16, OpenWRT 19.07/21.02, and Yocto 2.6 releases are affected.
CVE-2025-20706 (“mbrain uaf”): Similar memory corruption in the mbrain task scheduler on MT6899, MT6989, MT6991, MT8676, and MT8678 running Android 14–15 may lead to local code execution.
CVE-2025-20707 (“geniezone uaf”): A flaw in the geniezone service can result in memory corruption under local privilege conditions on MT2718, MT6853, MT8792, MT8883, and other models across Android 13–15.
| CVE | Title | Severity |
| CVE-2025-20708 | Out-of-bounds write in Modem | High |
| CVE-2025-20703 | Out-of-bounds read in Modem | High |
| CVE-2025-20704 | Out-of-bounds write in Modem | High |
| CVE-2025-20705 | Use after free in monitor_hang | Medium |
| CVE-2025-20706 | Use after free in mbrain | Medium |
| CVE-2025-20707 | Use after free in geniezone | Medium |
All vulnerabilities were discovered via external security research, except CVE-2025-20704, which was identified by internal validation teams.
OEM partners have received patches since July, and final firmware images incorporating these fixes will begin rolling out immediately.
MediaTek reminds integrators to upgrade Modem NR and Android BSP versions to mitigate risks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
