The vulnerability exists in MediaTek modem firmware and arises from an out‑of‑bounds write that occurs when a bound check is missing. An attacker can trigger the flaw by entangling a user equipment (UE) with a rogue base station that is under the attacker’s control. When the UE connects to this rogue network, the out‑of‑bounds write can grant the attacker higher privileges on the modem, effectively allowing remote privilege escalation. No additional execution privileges or user interaction beyond connecting to the rogue base station are necessary. The flaw is a classic buffer overrun (CWE‑787) and could lead to unauthorized modification of memory or system state.

All MediaTek chipsets whose firmware versions correspond to the CPE strings listed in the advisory are affected. This includes the MT2735, MT2737, MT6779, MT6781, MT6783, MT6785, MT6789, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8775, MT8781, MT8789, MT8791, MT8791t, MT8792, MT8793, MT8795t, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893. The same set of chipsets is affected across both hardware and firmware revisions.

The CVSS score is 8, indicating high severity, and the EPSS score is less than 1 percent, reflecting a low but non‑negligible likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack requires the victim to connect their UE to a rogue base station, which is a realistic scenario in environments with uncontrolled base stations. Since the flaw does not require prior code execution, an attacker can gain elevated privileges with minimal setup, making the vulnerability particularly concerning for users in mobile or IoT devices where the modem firmware cannot be easily inspected by the end user.