CVE-2026-20434 - Vulnerability Details

- Out-of-Bounds Write in MediaTek Modem Enables Remote Privilege Escalation

Description

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY00782946; Issue ID: MSV-4135.

Published: 2026-03-02

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing bounds check in the MediaTek modem software allows an out‑of‑bounds write, which can be exploited by an attacker to gain privilege escalation on a user equipment device during a connection to a rogue base station. The flaw is identified as a classic CWE‑787 buffer over-read/write vulnerability. An attacker does not need additional execution privileges beyond establishing the deceptive base station connection, but user interaction is required to initiate the interaction.

Affected Systems

The vulnerability affects a wide range of MediaTek chipset models listed in the CPE data, including MT2735, MT2737, MT6739, MT6761, MT6762, MT6765, MT6785, MT6855, MT6877, MT6880, MT6899, MT6980, MT8666, MT8768, and many others. Devices using these chipsets rely on the modem component where the flaw resides.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog. Exploitation requires the user to connect to a rogue base station controlled by the attacker; no additional privileges are needed beyond this. The attack vector is inferred to be a network-based interaction from a malicious base station, and the threat is mitigated by application of the vendor’s patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MediaTek, Inc.

MediaTek chipset

unaffected

Version	Status	Constraints
`MT2735`	affected	—
`MT2737`	affected	—
`MT6739`	affected	—
`MT6761`	affected	—
`MT6762`	affected	—
`MT6762D`	affected	—
`MT6762M`	affected	—
`MT6763`	affected	—
`MT6765`	affected	—
`MT6765T`	affected	—
`MT6767`	affected	—
`MT6768`	affected	—
`MT6769`	affected	—
`MT6769K`	affected	—
`MT6769S`	affected	—
`MT6769T`	affected	—
`MT6769Z`	affected	—
`MT6771`	affected	—
`MT6779`	affected	—
`MT6781`	affected	—
`MT6783`	affected	—
`MT6785`	affected	—
`MT6785T`	affected	—
`MT6785U`	affected	—
`MT6789`	affected	—
`MT6833`	affected	—
`MT6833P`	affected	—
`MT6835`	affected	—
`MT6835T`	affected	—
`MT6853`	affected	—
`MT6853T`	affected	—
`MT6855`	affected	—
`MT6855T`	affected	—
`MT6873`	affected	—
`MT6875`	affected	—
`MT6875T`	affected	—
`MT6877`	affected	—
`MT6877T`	affected	—
`MT6877TT`	affected	—
`MT6878`	affected	—
`MT6878M`	affected	—
`MT6879`	affected	—
`MT6880`	affected	—
`MT6883`	affected	—
`MT6885`	affected	—
`MT6886`	affected	—
`MT6889`	affected	—
`MT6890`	affected	—
`MT6891`	affected	—
`MT6893`	affected	—
`MT6895`	affected	—
`MT6895TT`	affected	—
`MT6896`	affected	—
`MT6897`	affected	—
`MT6899`	affected	—
`MT6980`	affected	—
`MT6980D`	affected	—
`MT6983`	affected	—
`MT6983T`	affected	—
`MT6985`	affected	—
`MT6985T`	affected	—
`MT6989`	affected	—
`MT6989T`	affected	—
`MT6990`	affected	—
`MT6991`	affected	—
`MT8666`	affected	—
`MT8667`	affected	—
`MT8668`	affected	—
`MT8673`	affected	—
`MT8675`	affected	—
`MT8676`	affected	—
`MT8678`	affected	—
`MT8755`	affected	—
`MT8765`	affected	—
`MT8766`	affected	—
`MT8766R`	affected	—
`MT8768`	affected	—
`MT8771`	affected	—
`MT8781`	affected	—
`MT8786`	affected	—
`MT8788`	affected	—
`MT8788E`	affected	—
`MT8789`	affected	—
`MT8791`	affected	—
`MT8791T`	affected	—
`MT8792`	affected	—
`MT8793`	affected	—
`MT8795T`	affected	—
`MT8797`	affected	—
`MT8798`	affected	—
`MT8863`	affected	—
`MT8873`	affected	—
`MT8883`	affected	—
`MT8893`	affected	—

Configuration 1 [-]

AND

OR	cpe:2.3:o:mediatek:lr12a:-:::::::*
	cpe:2.3:o:mediatek:lr13:-:::::::*
	cpe:2.3:o:mediatek:nr15:-:::::::*
	cpe:2.3:o:mediatek:nr16:-:::::::*
	cpe:2.3:o:mediatek:nr17:-:::::::*

OR	cpe:2.3:h:mediatek:mt2735:-:::::::*
	cpe:2.3:h:mediatek:mt2737:-:::::::*
	cpe:2.3:h:mediatek:mt6739:-:::::::*
	cpe:2.3:h:mediatek:mt6761:-:::::::*
	cpe:2.3:h:mediatek:mt6762:-:::::::*
	cpe:2.3:h:mediatek:mt6762d:-:::::::*
	cpe:2.3:h:mediatek:mt6762m:-:::::::*
	cpe:2.3:h:mediatek:mt6763:-:::::::*
	cpe:2.3:h:mediatek:mt6765:-:::::::*
	cpe:2.3:h:mediatek:mt6765t:-:::::::*
	cpe:2.3:h:mediatek:mt6767:-:::::::*
	cpe:2.3:h:mediatek:mt6768:-:::::::*
	cpe:2.3:h:mediatek:mt6769:-:::::::*
	cpe:2.3:h:mediatek:mt6769k:-:::::::*
	cpe:2.3:h:mediatek:mt6769s:-:::::::*
	cpe:2.3:h:mediatek:mt6769t:-:::::::*
	cpe:2.3:h:mediatek:mt6769z:-:::::::*
	cpe:2.3:h:mediatek:mt6771:-:::::::*
	cpe:2.3:h:mediatek:mt6779:-:::::::*
	cpe:2.3:h:mediatek:mt6781:-:::::::*
	cpe:2.3:h:mediatek:mt6783:-:::::::*
	cpe:2.3:h:mediatek:mt6785:-:::::::*
	cpe:2.3:h:mediatek:mt6785t:-:::::::*
	cpe:2.3:h:mediatek:mt6785u:-:::::::*
	cpe:2.3:h:mediatek:mt6789:-:::::::*
	cpe:2.3:h:mediatek:mt6833:-:::::::*
	cpe:2.3:h:mediatek:mt6833p:-:::::::*
	cpe:2.3:h:mediatek:mt6835:-:::::::*
	cpe:2.3:h:mediatek:mt6835t:-:::::::*
	cpe:2.3:h:mediatek:mt6853:-:::::::*
	cpe:2.3:h:mediatek:mt6853t:-:::::::*
	cpe:2.3:h:mediatek:mt6855:-:::::::*
	cpe:2.3:h:mediatek:mt6855t:-:::::::*
	cpe:2.3:h:mediatek:mt6873:-:::::::*
	cpe:2.3:h:mediatek:mt6875:-:::::::*
	cpe:2.3:h:mediatek:mt6875t:-:::::::*
	cpe:2.3:h:mediatek:mt6877:-:::::::*
	cpe:2.3:h:mediatek:mt6877t:-:::::::*
	cpe:2.3:h:mediatek:mt6877tt:-:::::::*
	cpe:2.3:h:mediatek:mt6878:-:::::::*
	cpe:2.3:h:mediatek:mt6878m:-:::::::*
	cpe:2.3:h:mediatek:mt6879:-:::::::*
	cpe:2.3:h:mediatek:mt6880:-:::::::*
	cpe:2.3:h:mediatek:mt6883:-:::::::*
	cpe:2.3:h:mediatek:mt6885:-:::::::*
	cpe:2.3:h:mediatek:mt6886:-:::::::*
	cpe:2.3:h:mediatek:mt6889:-:::::::*
	cpe:2.3:h:mediatek:mt6890:-:::::::*
	cpe:2.3:h:mediatek:mt6891:-:::::::*
	cpe:2.3:h:mediatek:mt6893:-:::::::*
	cpe:2.3:h:mediatek:mt6895:-:::::::*
	cpe:2.3:h:mediatek:mt6895tt:-:::::::*
	cpe:2.3:h:mediatek:mt6896:-:::::::*
	cpe:2.3:h:mediatek:mt6897:-:::::::*
	cpe:2.3:h:mediatek:mt6899:-:::::::*
	cpe:2.3:h:mediatek:mt6980:-:::::::*
	cpe:2.3:h:mediatek:mt6980d:-:::::::*
	cpe:2.3:h:mediatek:mt6983:-:::::::*
	cpe:2.3:h:mediatek:mt6983t:-:::::::*
	cpe:2.3:h:mediatek:mt6985:-:::::::*
	cpe:2.3:h:mediatek:mt6985t:-:::::::*
	cpe:2.3:h:mediatek:mt6989:-:::::::*
	cpe:2.3:h:mediatek:mt6989t:-:::::::*
	cpe:2.3:h:mediatek:mt6990:-:::::::*
cpe:2.3:h:mediatek:mt6991:-:::::::*
cpe:2.3:h:mediatek:mt8666:-:::::::*
cpe:2.3:h:mediatek:mt8667:-:::::::*
cpe:2.3:h:mediatek:mt8668:-:::::::*
cpe:2.3:h:mediatek:mt8673:-:::::::*
cpe:2.3:h:mediatek:mt8675:-:::::::*
cpe:2.3:h:mediatek:mt8676:-:::::::*
cpe:2.3:h:mediatek:mt8678:-:::::::*
cpe:2.3:h:mediatek:mt8755:-:::::::*
cpe:2.3:h:mediatek:mt8765:-:::::::*
cpe:2.3:h:mediatek:mt8766:-:::::::*
cpe:2.3:h:mediatek:mt8766r:-:::::::*
cpe:2.3:h:mediatek:mt8768:-:::::::*
cpe:2.3:h:mediatek:mt8771:-:::::::*
cpe:2.3:h:mediatek:mt8781:-:::::::*
cpe:2.3:h:mediatek:mt8786:-:::::::*
cpe:2.3:h:mediatek:mt8788:-:::::::*
cpe:2.3:h:mediatek:mt8788e:-:::::::*
cpe:2.3:h:mediatek:mt8789:-:::::::*
cpe:2.3:h:mediatek:mt8791:-:::::::*
cpe:2.3:h:mediatek:mt8791t:-:::::::*
cpe:2.3:h:mediatek:mt8792:-:::::::*
cpe:2.3:h:mediatek:mt8793:-:::::::*
cpe:2.3:h:mediatek:mt8795t:-:::::::*
cpe:2.3:h:mediatek:mt8797:-:::::::*
cpe:2.3:h:mediatek:mt8798:-:::::::*
cpe:2.3:h:mediatek:mt8863:-:::::::*
cpe:2.3:h:mediatek:mt8873:-:::::::*
cpe:2.3:h:mediatek:mt8883:-:::::::*
cpe:2.3:h:mediatek:mt8893:-:::::::*

No data.

Vendor Product Confidence Versions

Mediatek

Mt2735

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt2737

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6739

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6761

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6762

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6762d

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6762m

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6763

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6765

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6765t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6767

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6768

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6769

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6769k

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6769s

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6769t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6769z

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6771

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6779

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6781

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6783

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6785

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6785t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6785u

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6789

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6833

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6833p

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6835

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6835t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6853

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6853t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6855

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6855t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6873

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6875

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6875t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6877

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6877t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6877tt

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6878

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6878m

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6879

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6880

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6883

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6885

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6886

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6889

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6890

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6891

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6893

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6895

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6895tt

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6896

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6897

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6899

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6980

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6980d

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6983

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6983t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6985

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6985t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6989

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6989t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6990

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt6991

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8666

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8667

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8668

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8673

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8675

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8676

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8678

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8755

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8765

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8766

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8766r

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8768

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8771

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8781

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8786

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8788

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8788e

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8789

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8791

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8791t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8792

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8793

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8795t

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8797

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8798

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8863

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8873

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8883

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Mediatek

Mt8893

95%

Version	Status	Scheme	Platform
`Modem LR12A, LR13, NR15, NR16, NR17`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the MediaTek firmware patch identified by Patch ID MOLY00782946 to eliminate the vulnerable bounds check in the modem code.
Deploy the updated firmware to all affected devices, verifying that the patch is active before any exposure to untrusted base stations.
Configure network policy to block or restrict automatic connections to unknown or rogue base stations and monitor for anomalous connection attempts during the upgrade period.

Generated by OpenCVE AI on April 16, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00069.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://corp.mediatek.com/product-security-bulletin/March-2026

History

Thu, 16 Apr 2026 06:15:00 +0000

Type	Values Removed	Values Added
Title		Out-of-Bounds Write in MediaTek Modem Enables Remote Privilege Escalation

Mon, 02 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mediatek Mediatek lr12a Mediatek lr13 Mediatek mt2735 Mediatek mt2737 Mediatek mt6739 Mediatek mt6761 Mediatek mt6762 Mediatek mt6762d Mediatek mt6762m Mediatek mt6763 Mediatek mt6765 Mediatek mt6765t Mediatek mt6767 Mediatek mt6768 Mediatek mt6769 Mediatek mt6769k Mediatek mt6769s Mediatek mt6769t Mediatek mt6769z Mediatek mt6771 Mediatek mt6779 Mediatek mt6781 Mediatek mt6783 Mediatek mt6785 Mediatek mt6785t Mediatek mt6785u Mediatek mt6789 Mediatek mt6833 Mediatek mt6833p Mediatek mt6835 Mediatek mt6835t Mediatek mt6853 Mediatek mt6853t Mediatek mt6855 Mediatek mt6855t Mediatek mt6873 Mediatek mt6875 Mediatek mt6875t Mediatek mt6877 Mediatek mt6877t Mediatek mt6877tt Mediatek mt6878 Mediatek mt6878m Mediatek mt6879 Mediatek mt6880 Mediatek mt6883 Mediatek mt6885 Mediatek mt6886 Mediatek mt6889 Mediatek mt6890 Mediatek mt6891 Mediatek mt6893 Mediatek mt6895 Mediatek mt6895tt Mediatek mt6896 Mediatek mt6897 Mediatek mt6899 Mediatek mt6980 Mediatek mt6980d Mediatek mt6983 Mediatek mt6983t Mediatek mt6985 Mediatek mt6985t Mediatek mt6989 Mediatek mt6989t Mediatek mt6990 Mediatek mt6991 Mediatek mt8666 Mediatek mt8667 Mediatek mt8668 Mediatek mt8673 Mediatek mt8675 Mediatek mt8676 Mediatek mt8678 Mediatek mt8755 Mediatek mt8765 Mediatek mt8766 Mediatek mt8766r Mediatek mt8768 Mediatek mt8771 Mediatek mt8781 Mediatek mt8786 Mediatek mt8788 Mediatek mt8788e Mediatek mt8789 Mediatek mt8791 Mediatek mt8791t Mediatek mt8792 Mediatek mt8793 Mediatek mt8795t Mediatek mt8797 Mediatek mt8798 Mediatek mt8863 Mediatek mt8873 Mediatek mt8883 Mediatek mt8893 Mediatek nr15 Mediatek nr16 Mediatek nr17
CPEs		cpe:2.3:h:mediatek:mt2735:-:::::::* cpe:2.3:h:mediatek:mt2737:-:::::::* cpe:2.3:h:mediatek:mt6739:-:::::::* cpe:2.3:h:mediatek:mt6761:-:::::::* cpe:2.3:h:mediatek:mt6762:-:::::::* cpe:2.3:h:mediatek:mt6762d:-:::::::* cpe:2.3:h:mediatek:mt6762m:-:::::::* cpe:2.3:h:mediatek:mt6763:-:::::::* cpe:2.3:h:mediatek:mt6765:-:::::::* cpe:2.3:h:mediatek:mt6765t:-:::::::* cpe:2.3:h:mediatek:mt6767:-:::::::* cpe:2.3:h:mediatek:mt6768:-:::::::* cpe:2.3:h:mediatek:mt6769:-:::::::* cpe:2.3:h:mediatek:mt6769k:-:::::::* cpe:2.3:h:mediatek:mt6769s:-:::::::* cpe:2.3:h:mediatek:mt6769t:-:::::::* cpe:2.3:h:mediatek:mt6769z:-:::::::* cpe:2.3:h:mediatek:mt6771:-:::::::* cpe:2.3:h:mediatek:mt6779:-:::::::* cpe:2.3:h:mediatek:mt6781:-:::::::* cpe:2.3:h:mediatek:mt6783:-:::::::* cpe:2.3:h:mediatek:mt6785:-:::::::* cpe:2.3:h:mediatek:mt6785t:-:::::::* cpe:2.3:h:mediatek:mt6785u:-:::::::* cpe:2.3:h:mediatek:mt6789:-:::::::* cpe:2.3:h:mediatek:mt6833:-:::::::* cpe:2.3:h:mediatek:mt6833p:-:::::::* cpe:2.3:h:mediatek:mt6835:-:::::::* cpe:2.3:h:mediatek:mt6835t:-:::::::* cpe:2.3:h:mediatek:mt6853:-:::::::* cpe:2.3:h:mediatek:mt6853t:-:::::::* cpe:2.3:h:mediatek:mt6855:-:::::::* cpe:2.3:h:mediatek:mt6855t:-:::::::* cpe:2.3:h:mediatek:mt6873:-:::::::* cpe:2.3:h:mediatek:mt6875:-:::::::* cpe:2.3:h:mediatek:mt6875t:-:::::::* cpe:2.3:h:mediatek:mt6877:-:::::::* cpe:2.3:h:mediatek:mt6877t:-:::::::* cpe:2.3:h:mediatek:mt6877tt:-:::::::* cpe:2.3:h:mediatek:mt6878:-:::::::* cpe:2.3:h:mediatek:mt6878m:-:::::::* cpe:2.3:h:mediatek:mt6879:-:::::::* cpe:2.3:h:mediatek:mt6880:-:::::::* cpe:2.3:h:mediatek:mt6883:-:::::::* cpe:2.3:h:mediatek:mt6885:-:::::::* cpe:2.3:h:mediatek:mt6886:-:::::::* cpe:2.3:h:mediatek:mt6889:-:::::::* cpe:2.3:h:mediatek:mt6890:-:::::::* cpe:2.3:h:mediatek:mt6891:-:::::::* cpe:2.3:h:mediatek:mt6893:-:::::::* cpe:2.3:h:mediatek:mt6895:-:::::::* cpe:2.3:h:mediatek:mt6895tt:-:::::::* cpe:2.3:h:mediatek:mt6896:-:::::::* cpe:2.3:h:mediatek:mt6897:-:::::::* cpe:2.3:h:mediatek:mt6899:-:::::::* cpe:2.3:h:mediatek:mt6980:-:::::::* cpe:2.3:h:mediatek:mt6980d:-:::::::* cpe:2.3:h:mediatek:mt6983:-:::::::* cpe:2.3:h:mediatek:mt6983t:-:::::::* cpe:2.3:h:mediatek:mt6985:-:::::::* cpe:2.3:h:mediatek:mt6985t:-:::::::* cpe:2.3:h:mediatek:mt6989:-:::::::* cpe:2.3:h:mediatek:mt6989t:-:::::::* cpe:2.3:h:mediatek:mt6990:-:::::::* cpe:2.3:h:mediatek:mt6991:-:::::::* cpe:2.3:h:mediatek:mt8666:-:::::::* cpe:2.3:h:mediatek:mt8667:-:::::::* cpe:2.3:h:mediatek:mt8668:-:::::::* cpe:2.3:h:mediatek:mt8673:-:::::::* cpe:2.3:h:mediatek:mt8675:-:::::::* cpe:2.3:h:mediatek:mt8676:-:::::::* cpe:2.3:h:mediatek:mt8678:-:::::::* cpe:2.3:h:mediatek:mt8755:-:::::::* cpe:2.3:h:mediatek:mt8765:-:::::::* cpe:2.3:h:mediatek:mt8766:-:::::::* cpe:2.3:h:mediatek:mt8766r:-:::::::* cpe:2.3:h:mediatek:mt8768:-:::::::* cpe:2.3:h:mediatek:mt8771:-:::::::* cpe:2.3:h:mediatek:mt8781:-:::::::* cpe:2.3:h:mediatek:mt8786:-:::::::* cpe:2.3:h:mediatek:mt8788:-:::::::* cpe:2.3:h:mediatek:mt8788e:-:::::::* cpe:2.3:h:mediatek:mt8789:-:::::::* cpe:2.3:h:mediatek:mt8791:-:::::::* cpe:2.3:h:mediatek:mt8791t:-:::::::* cpe:2.3:h:mediatek:mt8792:-:::::::* cpe:2.3:h:mediatek:mt8793:-:::::::* cpe:2.3:h:mediatek:mt8795t:-:::::::* cpe:2.3:h:mediatek:mt8797:-:::::::* cpe:2.3:h:mediatek:mt8798:-:::::::* cpe:2.3:h:mediatek:mt8863:-:::::::* cpe:2.3:h:mediatek:mt8873:-:::::::* cpe:2.3:h:mediatek:mt8883:-:::::::* cpe:2.3:h:mediatek:mt8893:-:::::::* cpe:2.3:o:mediatek:lr12a:-:::::::* cpe:2.3:o:mediatek:lr13:-:::::::* cpe:2.3:o:mediatek:nr15:-:::::::* cpe:2.3:o:mediatek:nr16:-:::::::* cpe:2.3:o:mediatek:nr17:-:::::::*
Vendors & Products		Mediatek Mediatek lr12a Mediatek lr13 Mediatek mt2735 Mediatek mt2737 Mediatek mt6739 Mediatek mt6761 Mediatek mt6762 Mediatek mt6762d Mediatek mt6762m Mediatek mt6763 Mediatek mt6765 Mediatek mt6765t Mediatek mt6767 Mediatek mt6768 Mediatek mt6769 Mediatek mt6769k Mediatek mt6769s Mediatek mt6769t Mediatek mt6769z Mediatek mt6771 Mediatek mt6779 Mediatek mt6781 Mediatek mt6783 Mediatek mt6785 Mediatek mt6785t Mediatek mt6785u Mediatek mt6789 Mediatek mt6833 Mediatek mt6833p Mediatek mt6835 Mediatek mt6835t Mediatek mt6853 Mediatek mt6853t Mediatek mt6855 Mediatek mt6855t Mediatek mt6873 Mediatek mt6875 Mediatek mt6875t Mediatek mt6877 Mediatek mt6877t Mediatek mt6877tt Mediatek mt6878 Mediatek mt6878m Mediatek mt6879 Mediatek mt6880 Mediatek mt6883 Mediatek mt6885 Mediatek mt6886 Mediatek mt6889 Mediatek mt6890 Mediatek mt6891 Mediatek mt6893 Mediatek mt6895 Mediatek mt6895tt Mediatek mt6896 Mediatek mt6897 Mediatek mt6899 Mediatek mt6980 Mediatek mt6980d Mediatek mt6983 Mediatek mt6983t Mediatek mt6985 Mediatek mt6985t Mediatek mt6989 Mediatek mt6989t Mediatek mt6990 Mediatek mt6991 Mediatek mt8666 Mediatek mt8667 Mediatek mt8668 Mediatek mt8673 Mediatek mt8675 Mediatek mt8676 Mediatek mt8678 Mediatek mt8755 Mediatek mt8765 Mediatek mt8766 Mediatek mt8766r Mediatek mt8768 Mediatek mt8771 Mediatek mt8781 Mediatek mt8786 Mediatek mt8788 Mediatek mt8788e Mediatek mt8789 Mediatek mt8791 Mediatek mt8791t Mediatek mt8792 Mediatek mt8793 Mediatek mt8795t Mediatek mt8797 Mediatek mt8798 Mediatek mt8863 Mediatek mt8873 Mediatek mt8883 Mediatek mt8893 Mediatek nr15 Mediatek nr16 Mediatek nr17

Mon, 02 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
Description		In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY00782946; Issue ID: MSV-4135.
Weaknesses		CWE-787
References		https://corp.mediatek.com/product-security-bulletin/March-2026

Subscriptions

Mediatek Lr12a Lr13 Mt2735 Mt2737 Mt6739 Mt6761 Mt6762 Mt6762d Mt6762m Mt6763 Mt6765 Mt6765t Mt6767 Mt6768 Mt6769 Mt6769k Mt6769s Mt6769t Mt6769z Mt6771 Mt6779 Mt6781 Mt6783 Mt6785 Mt6785t Mt6785u Mt6789 Mt6833 Mt6833p Mt6835 Mt6835t Mt6853 Mt6853t Mt6855 Mt6855t Mt6873 Mt6875 Mt6875t Mt6877 Mt6877t Mt6877tt Mt6878 Mt6878m Mt6879 Mt6880 Mt6883 Mt6885 Mt6886 Mt6889 Mt6890 Mt6891 Mt6893 Mt6895 Mt6895tt Mt6896 Mt6897 Mt6899 Mt6980 Mt6980d Mt6983 Mt6983t Mt6985 Mt6985t Mt6989 Mt6989t Mt6990 Mt6991 Mt8666 Mt8667 Mt8668 Mt8673 Mt8675 Mt8676 Mt8678 Mt8755 Mt8765 Mt8766 Mt8766r Mt8768 Mt8771 Mt8781 Mt8786 Mt8788 Mt8788e Mt8789 Mt8791 Mt8791t Mt8792 Mt8793 Mt8795t Mt8797 Mt8798 Mt8863 Mt8873 Mt8883 Mt8893 Nr15 Nr16 Nr17

MITRE

Status: PUBLISHED

Assigner: MediaTek

Published: 2026-03-02T08:39:10.077Z

Updated: 2026-03-30T13:05:35.387Z

Reserved: 2025-11-03T01:30:59.011Z

Link: CVE-2026-20434

Vulnrichment

Updated: 2026-03-02T13:37:34.417Z

NVD

Status : Analyzed

Published: 2026-03-02T09:16:16.460

Modified: 2026-03-02T22:04:18.130

Link: CVE-2026-20434

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object