CVE-2026-20410 - Vulnerability Details

- Out-of-Bounds Write in MediaTek Chipset ImgSys Enables Local Privilege Escalation

Description

In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362552; Issue ID: MSV-5760.

Published: 2026-02-02

Score: 6.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

MediaTek’s imgsys module has a missing bounds check that can cause an out-of-bounds write. An attacker who already has system privileges can overwrite adjacent memory, potentially raising privileges or causing other unintended behavior. The flaw is categorized as CWE‑787, indicating untrusted data leads to an arbitrary write.

Affected Systems

Chipsets that include the vulnerable component are MediaTek MT6897, MT6989, MT8370, MT8390 and MT8395, as well as devices running Android 15.0 that depend on these chipsets. All affected hardware runs the proprietary imgsys firmware bundled with the device’s SoC.

Risk and Exploitability

The CVSS v3 score of 6.7 places the vulnerability in the high severity range. EPSS indicates an exploitation likelihood of less than 1 %, and the flaw is not listed in the CISA KEV catalog. Exploitation requires local presence and system‑level privileges, and no user interaction is needed. Consequently, risk is moderate to high for environments where an unprivileged user can attain system privilege, such as through physical access or other compromise vectors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MediaTek, Inc.

MediaTek chipset

unaffected

Version	Status	Constraints
`MT6897`	affected	—
`MT6989`	affected	—
`MT8370`	affected	—
`MT8390`	affected	—
`MT8395`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*

OR	cpe:2.3:h:mediatek:mt6897:-:::::::*
	cpe:2.3:h:mediatek:mt6989:-:::::::*
	cpe:2.3:h:mediatek:mt8370:-:::::::*
	cpe:2.3:h:mediatek:mt8390:-:::::::*
	cpe:2.3:h:mediatek:mt8395:-:::::::*

No data.

Vendor	Product	Confidence	Versions
Mediatek	Mt6897	—	—
Mediatek	Mt6989	—	—
Mediatek	Mt8370	—	—
Mediatek	Mt8390	—	—
Mediatek	Mt8395	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the MediaTek firmware update that includes patch ALPS10362552 (Issue MSV‑5760).
If the device firmware cannot be updated immediately, restrict access to administrative functions that may grant system privilege and disable or remove the imgsys driver if it is not required for device operation.
Enable device security logging to capture abnormal memory operations that may indicate exploitation of the imgsys component.

Generated by OpenCVE AI on April 16, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00003.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://corp.mediatek.com/product-security-bulletin/February-2026

History

Thu, 16 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Title		Out-of-Bounds Write in MediaTek Chipset ImgSys Enables Local Privilege Escalation

Wed, 04 Feb 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
CPEs		cpe:2.3:h:mediatek:mt6897:-:::::::* cpe:2.3:h:mediatek:mt6989:-:::::::* cpe:2.3:h:mediatek:mt8370:-:::::::* cpe:2.3:h:mediatek:mt8390:-:::::::* cpe:2.3:h:mediatek:mt8395:-:::::::* cpe:2.3:o:google:android:15.0:::::::*
Vendors & Products		Google Google android

Wed, 04 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mediatek Mediatek mt6897 Mediatek mt6989 Mediatek mt8370 Mediatek mt8390 Mediatek mt8395
Vendors & Products		Mediatek Mediatek mt6897 Mediatek mt6989 Mediatek mt8370 Mediatek mt8390 Mediatek mt8395

Mon, 02 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Feb 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362552; Issue ID: MSV-5760.
Weaknesses		CWE-787
References		https://corp.mediatek.com/product-security-bulletin/February-2026

Subscriptions

Google Android

Mediatek Mt6897 Mt6989 Mt8370 Mt8390 Mt8395

MITRE

Status: PUBLISHED

Assigner: MediaTek

Published: 2026-02-02T08:15:01.285Z

Updated: 2026-03-30T13:03:03.420Z

Reserved: 2025-11-03T01:30:59.008Z

Link: CVE-2026-20410

Vulnrichment

Updated: 2026-02-02T13:56:28.126Z

NVD

Status : Analyzed

Published: 2026-02-02T09:15:55.913

Modified: 2026-02-04T13:46:35.300

Link: CVE-2026-20410

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object