Description
In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617.
Published: 2026-02-02
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Denial of Service
Action: Apply Patch
AI Analysis

Impact

In the MediaTek imgsys component, improper locking (CWE‑667) and a potential double‑free (CWE‑415) can lead to a memory corruption condition that a local attacker with System privilege could exploit to cause a denial‑of‑service state. The flaw does not require user interaction and can be triggered by the corrupted internal state, rendering the system unresponsive until resolved.

Affected Systems

The vulnerability affects MediaTek chipsets MT6897 and MT6989, and is relevant to devices running Android 15.0 that incorporate these chipsets.

Risk and Exploitability

The flaw scores a CVSS 5.5 score with a very low exploit probability (EPSS < 1%) and is not listed in CISA’s KEV catalog. Exploitation requires local access with System privilege; an attacker must have already gained elevated rights, after which the flaw can be triggered without further user interaction. The likelihood of widespread exploitation remains low but the impact on affected devices is significant if the attacker succeeds.

Generated by OpenCVE AI on April 18, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware or OS to a version that includes Patch ID ALPS10363254 (Issue ID MSV‑5617).
  • Reboot the device after applying the patch to clear any corrupted internal state.
  • If an immediate patch is unavailable, temporarily disable or restrict access to the imgSys component through vendor‑supplied configuration or system settings to prevent the exploit from being triggered.

Generated by OpenCVE AI on April 18, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Mediatek
Mediatek mt6897
Mediatek mt6989
Weaknesses CWE-667
CPEs cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
Vendors & Products Google
Google android
Mediatek
Mediatek mt6897
Mediatek mt6989

Mon, 02 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617.
Weaknesses CWE-415
References

Subscriptions

Google Android
Mediatek Mt6897 Mt6989
cve-icon MITRE

Status: PUBLISHED

Assigner: MediaTek

Published:

Updated: 2026-03-30T13:03:16.932Z

Reserved: 2025-11-03T01:30:59.009Z

Link: CVE-2026-20415

cve-icon Vulnrichment

Updated: 2026-02-02T20:56:33.837Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T09:15:56.590

Modified: 2026-02-03T21:53:59.340

Link: CVE-2026-20415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses