Description
In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5733.
Published: 2026-02-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

A missing bounds check in the MediaTek camera service (cameraisp) can result in an out‑of‑bounds write, giving a local attacker already holding System privilege the ability to modify adjacent memory and elevate their privileges. This flaw is a classic out‑of‑bounds write (CWE‑787) and does not require any user interaction to be triggered.

Affected Systems

MediaTek chipset‑based devices, including all listed models such as MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8696, MT8793, as well as Android operating systems from version 13 through 16.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating moderate to high severity. The EPSS score is below 1%, suggesting a low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack scenario involves a local adversary who has already gained System privilege; from there, the out‑of‑bounds write can be used to increase privileges further. No remote attack vector or user interaction is required.

Generated by OpenCVE AI on April 16, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official firmware update containing Patch ID ALPS10351676 (issue ID MSV‑5733) released by MediaTek.
  • If the patch is not immediately available, restrict device access to prevent local users from obtaining System privilege, for example by disabling or sandboxing camera services until a fix can be applied.
  • Review and harden device configurations to enforce least privilege for applications that communicate with the media framework, and monitor for anomalous memory write activity.

Generated by OpenCVE AI on April 16, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in MediaTek Camera Service Enables Local Privilege Escalation

Wed, 04 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:h:mediatek:mt6878:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6879:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6881:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6886:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6895:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6983:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6985:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6993:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8168:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8188:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8195:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8365:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8390:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8395:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8666:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8667:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8673:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8676:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8696:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
Vendors & Products Google
Google android

Wed, 04 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mediatek
Mediatek mt6878
Mediatek mt6879
Mediatek mt6881
Mediatek mt6886
Mediatek mt6895
Mediatek mt6897
Mediatek mt6899
Mediatek mt6983
Mediatek mt6985
Mediatek mt6989
Mediatek mt6991
Mediatek mt6993
Mediatek mt8168
Mediatek mt8188
Mediatek mt8195
Mediatek mt8365
Mediatek mt8390
Mediatek mt8395
Mediatek mt8666
Mediatek mt8667
Mediatek mt8673
Mediatek mt8676
Mediatek mt8696
Mediatek mt8793
Vendors & Products Mediatek
Mediatek mt6878
Mediatek mt6879
Mediatek mt6881
Mediatek mt6886
Mediatek mt6895
Mediatek mt6897
Mediatek mt6899
Mediatek mt6983
Mediatek mt6985
Mediatek mt6989
Mediatek mt6991
Mediatek mt6993
Mediatek mt8168
Mediatek mt8188
Mediatek mt8195
Mediatek mt8365
Mediatek mt8390
Mediatek mt8395
Mediatek mt8666
Mediatek mt8667
Mediatek mt8673
Mediatek mt8676
Mediatek mt8696
Mediatek mt8793

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5733.
Weaknesses CWE-787
References
cve-icon MITRE

Status: PUBLISHED

Assigner: MediaTek

Published:

Updated: 2026-03-30T13:03:09.154Z

Reserved: 2025-11-03T01:30:59.008Z

Link: CVE-2026-20412

cve-icon Vulnrichment

Updated: 2026-02-02T17:35:05.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T09:15:56.187

Modified: 2026-02-04T13:44:58.703

Link: CVE-2026-20412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:15:28Z

Weaknesses