Description
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10320471; Issue ID: MSV-5538.
Published: 2026-03-02
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

An out‑of‑bounds write occurs in the MediaTek chipset display firmware because a bounds check is missing. The flaw is a classic buffer overflow (CWE‑787). If an attacker already has System privileges on the device, exploiting this vulnerability could allow elevation of privileges within the local environment. No user interaction is required once the attacker has that foothold.

Affected Systems

The vulnerability affects MediaTek chipsets, including the MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8196, MT8678, MT8793, and has implications for Android devices running versions 14.0, 15.0, and 16.0 that employ these chipsets.

Risk and Exploitability

The CVSS score of 6.7 indicates medium severity. Because the exploit requires an attacker to already have System privileges on the device, the likelihood of exploitation is low, reflected in an EPSS score of less than 1%. The bug is not listed in the CISA Known Exploited Vulnerabilities catalog, and the attack vector is local; user interaction is not needed once privileges are available.

Generated by OpenCVE AI on April 16, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the MediaTek firmware patch identified by ALPS10320471 (issue ID MSV-5538) to correct the bounds check.
  • Upgrade all affected devices to the latest firmware that incorporates this patch before deploying them in production.
  • If the patch is not yet available, restrict the execution of processes with System privileges and monitor for anomalous activity that may indicate exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in MediaTek Chipset Enables Local Privilege Escalation

Tue, 03 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Mediatek
Mediatek mt6739
Mediatek mt6761
Mediatek mt6765
Mediatek mt6768
Mediatek mt6781
Mediatek mt6789
Mediatek mt6833
Mediatek mt6835
Mediatek mt6853
Mediatek mt6855
Mediatek mt6877
Mediatek mt6878
Mediatek mt6879
Mediatek mt6883
Mediatek mt6885
Mediatek mt6886
Mediatek mt6889
Mediatek mt6893
Mediatek mt6895
Mediatek mt6897
Mediatek mt6899
Mediatek mt6983
Mediatek mt6985
Mediatek mt6989
Mediatek mt6991
Mediatek mt6993
Mediatek mt8196
Mediatek mt8678
Mediatek mt8793
CPEs cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6833:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6878:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6879:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6886:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6895:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6983:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6985:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6993:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8196:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8678:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
Vendors & Products Google
Google android
Mediatek
Mediatek mt6739
Mediatek mt6761
Mediatek mt6765
Mediatek mt6768
Mediatek mt6781
Mediatek mt6789
Mediatek mt6833
Mediatek mt6835
Mediatek mt6853
Mediatek mt6855
Mediatek mt6877
Mediatek mt6878
Mediatek mt6879
Mediatek mt6883
Mediatek mt6885
Mediatek mt6886
Mediatek mt6889
Mediatek mt6893
Mediatek mt6895
Mediatek mt6897
Mediatek mt6899
Mediatek mt6983
Mediatek mt6985
Mediatek mt6989
Mediatek mt6991
Mediatek mt6993
Mediatek mt8196
Mediatek mt8678
Mediatek mt8793

Mon, 02 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10320471; Issue ID: MSV-5538.
Weaknesses CWE-787
References
cve-icon MITRE

Status: PUBLISHED

Assigner: MediaTek

Published:

Updated: 2026-03-30T13:05:24.344Z

Reserved: 2025-11-03T01:30:59.010Z

Link: CVE-2026-20426

cve-icon Vulnrichment

Updated: 2026-03-02T13:48:56.989Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T09:16:15.777

Modified: 2026-03-03T13:09:01.077

Link: CVE-2026-20426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses