CVE-2026-20411 - Vulnerability Details

- Use‑After‑Free in Cameraisp Causes Local Denial of Service on MediaTek Chipsets

Description

In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737.

Published: 2026-02-02

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free in the cameraisp component. It can be triggered when a Free operation leaves a dangling pointer that is subsequently dereferenced by code executing with system privileges. The result is a local denial of service that can crash the cameraisp process or otherwise disable camera functionality. Because the flaw is exploitable only after system privilege has already been achieved, it does not provide an additional elevation of privilege but can render the device non‑operational for the user.

Affected Systems

Affected systems include MediaTek chipsets such as MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8370, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8793, and Android platforms ranging from version 13.0 through 16.0 that incorporate these chipsets. These components are found in a range of Android devices supplied by MediaTek.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk, but the EPSS score of less than 1% signifies that exploitation is considered unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local with no user interaction required; an adversary must already possess system privileges to trigger the flaw. If the software is patched, the risk is mitigated, though operators should be aware that the flaw could be leveraged to crash the camera subsystem and disrupt device availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MediaTek, Inc.

MediaTek chipset

unaffected

Version	Status	Constraints
`MT6878`	affected	—
`MT6879`	affected	—
`MT6881`	affected	—
`MT6886`	affected	—
`MT6895`	affected	—
`MT6897`	affected	—
`MT6899`	affected	—
`MT6983`	affected	—
`MT6985`	affected	—
`MT6989`	affected	—
`MT6991`	affected	—
`MT6993`	affected	—
`MT8168`	affected	—
`MT8188`	affected	—
`MT8195`	affected	—
`MT8365`	affected	—
`MT8370`	affected	—
`MT8390`	affected	—
`MT8395`	affected	—
`MT8666`	affected	—
`MT8667`	affected	—
`MT8673`	affected	—
`MT8676`	affected	—
`MT8793`	affected	—

Configuration 1 [-]

AND

OR	cpe:2.3:o:google:android:13.0:::::::*
	cpe:2.3:o:google:android:14.0:::::::*
	cpe:2.3:o:google:android:15.0:::::::*
	cpe:2.3:o:google:android:16.0:-::::::

OR	cpe:2.3:h:mediatek:mt6878:-:::::::*
	cpe:2.3:h:mediatek:mt6879:-:::::::*
	cpe:2.3:h:mediatek:mt6881:-:::::::*
	cpe:2.3:h:mediatek:mt6886:-:::::::*
	cpe:2.3:h:mediatek:mt6895:-:::::::*
	cpe:2.3:h:mediatek:mt6897:-:::::::*
	cpe:2.3:h:mediatek:mt6899:-:::::::*
	cpe:2.3:h:mediatek:mt6983:-:::::::*
	cpe:2.3:h:mediatek:mt6985:-:::::::*
	cpe:2.3:h:mediatek:mt6989:-:::::::*
	cpe:2.3:h:mediatek:mt6991:-:::::::*
	cpe:2.3:h:mediatek:mt6993:-:::::::*
	cpe:2.3:h:mediatek:mt8168:-:::::::*
	cpe:2.3:h:mediatek:mt8188:-:::::::*
	cpe:2.3:h:mediatek:mt8195:-:::::::*
	cpe:2.3:h:mediatek:mt8365:-:::::::*
	cpe:2.3:h:mediatek:mt8370:-:::::::*
	cpe:2.3:h:mediatek:mt8390:-:::::::*
	cpe:2.3:h:mediatek:mt8395:-:::::::*
	cpe:2.3:h:mediatek:mt8666:-:::::::*
	cpe:2.3:h:mediatek:mt8667:-:::::::*
	cpe:2.3:h:mediatek:mt8673:-:::::::*
	cpe:2.3:h:mediatek:mt8676:-:::::::*
	cpe:2.3:h:mediatek:mt8793:-:::::::*

No data.

Vendor	Product	Confidence	Versions
Mediatek	Mt6781	—	—
Mediatek	Mt6878	—	—
Mediatek	Mt6879	—	—
Mediatek	Mt6886	—	—
Mediatek	Mt6895	—	—
Mediatek	Mt6897	—	—
Mediatek	Mt6899	—	—
Mediatek	Mt6983	—	—
Mediatek	Mt6985	—	—
Mediatek	Mt6989	—	—
Mediatek	Mt6991	—	—
Mediatek	Mt6993	—	—
Mediatek	Mt8168	—	—
Mediatek	Mt8188	—	—
Mediatek	Mt8195	—	—
Mediatek	Mt8365	—	—
Mediatek	Mt8370	—	—
Mediatek	Mt8390	—	—
Mediatek	Mt8395	—	—
Mediatek	Mt8666	—	—
Mediatek	Mt8667	—	—
Mediatek	Mt8673	—	—
Mediatek	Mt8676	—	—
Mediatek	Mt8793	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official MediaTek firmware patch identified by ALPS10351676 to address the use‑after‑free in cameraisp.
If an update is not yet available, limit the cameraisp service’s permissions so that only privileged processes can access it, thereby preventing unprivileged local users from triggering the flaw.
Verify that memory deallocation routines in cameraisp consistently clear or nullify pointers after a free operation, and enforce these practices in future builds to avoid dangling references.

Generated by OpenCVE AI on April 16, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00003.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://corp.mediatek.com/product-security-bulletin/February-2026

History

Thu, 16 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
Title		Use‑After‑Free in Cameraisp Causes Local Denial of Service on MediaTek Chipsets

Wed, 04 Feb 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android Mediatek mt6881
CPEs		cpe:2.3:h:mediatek:mt6878:-:::::::* cpe:2.3:h:mediatek:mt6879:-:::::::* cpe:2.3:h:mediatek:mt6881:-:::::::* cpe:2.3:h:mediatek:mt6886:-:::::::* cpe:2.3:h:mediatek:mt6895:-:::::::* cpe:2.3:h:mediatek:mt6897:-:::::::* cpe:2.3:h:mediatek:mt6899:-:::::::* cpe:2.3:h:mediatek:mt6983:-:::::::* cpe:2.3:h:mediatek:mt6985:-:::::::* cpe:2.3:h:mediatek:mt6989:-:::::::* cpe:2.3:h:mediatek:mt6991:-:::::::* cpe:2.3:h:mediatek:mt6993:-:::::::* cpe:2.3:h:mediatek:mt8168:-:::::::* cpe:2.3:h:mediatek:mt8188:-:::::::* cpe:2.3:h:mediatek:mt8195:-:::::::* cpe:2.3:h:mediatek:mt8365:-:::::::* cpe:2.3:h:mediatek:mt8370:-:::::::* cpe:2.3:h:mediatek:mt8390:-:::::::* cpe:2.3:h:mediatek:mt8395:-:::::::* cpe:2.3:h:mediatek:mt8666:-:::::::* cpe:2.3:h:mediatek:mt8667:-:::::::* cpe:2.3:h:mediatek:mt8673:-:::::::* cpe:2.3:h:mediatek:mt8676:-:::::::* cpe:2.3:h:mediatek:mt8793:-:::::::* cpe:2.3:o:google:android:13.0:::::::* cpe:2.3:o:google:android:14.0:::::::* cpe:2.3:o:google:android:15.0:::::::* cpe:2.3:o:google:android:16.0:-::::::
Vendors & Products		Google Google android Mediatek mt6881

Wed, 04 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mediatek Mediatek mt6781 Mediatek mt6878 Mediatek mt6879 Mediatek mt6886 Mediatek mt6895 Mediatek mt6897 Mediatek mt6899 Mediatek mt6983 Mediatek mt6985 Mediatek mt6989 Mediatek mt6991 Mediatek mt6993 Mediatek mt8168 Mediatek mt8188 Mediatek mt8195 Mediatek mt8365 Mediatek mt8370 Mediatek mt8390 Mediatek mt8395 Mediatek mt8666 Mediatek mt8667 Mediatek mt8673 Mediatek mt8676 Mediatek mt8793
Vendors & Products		Mediatek Mediatek mt6781 Mediatek mt6878 Mediatek mt6879 Mediatek mt6886 Mediatek mt6895 Mediatek mt6897 Mediatek mt6899 Mediatek mt6983 Mediatek mt6985 Mediatek mt6989 Mediatek mt6991 Mediatek mt6993 Mediatek mt8168 Mediatek mt8188 Mediatek mt8195 Mediatek mt8365 Mediatek mt8370 Mediatek mt8390 Mediatek mt8395 Mediatek mt8666 Mediatek mt8667 Mediatek mt8673 Mediatek mt8676 Mediatek mt8793

Mon, 02 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Feb 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737.
Weaknesses		CWE-416
References		https://corp.mediatek.com/product-security-bulletin/February-2026

Subscriptions

Google Android

Mediatek Mt6781 Mt6878 Mt6879 Mt6881 Mt6886 Mt6895 Mt6897 Mt6899 Mt6983 Mt6985 Mt6989 Mt6991 Mt6993 Mt8168 Mt8188 Mt8195 Mt8365 Mt8370 Mt8390 Mt8395 Mt8666 Mt8667 Mt8673 Mt8676 Mt8793

MITRE

Status: PUBLISHED

Assigner: MediaTek

Published: 2026-02-02T08:15:03.859Z

Updated: 2026-03-30T13:03:06.262Z

Reserved: 2025-11-03T01:30:59.008Z

Link: CVE-2026-20411

Vulnrichment

Updated: 2026-02-02T18:29:16.789Z

NVD

Status : Analyzed

Published: 2026-02-02T09:15:56.040

Modified: 2026-02-04T13:45:57.673

Link: CVE-2026-20411

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T07:15:28Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object