Description
In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431940; Issue ID: MSV-5843.
Published: 2026-03-02
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Denial of Service
Action: Patch Update
AI Analysis

Impact

A use‑after‑free flaw in MediaTek’s MAE component can trigger a system crash, which manifests as a local denial of service. The vulnerability requires that the attacking process already have system privilege to trigger the fault, and no user interaction is needed for exploitation. The crash does not expose data, but it can temporarily disrupt device operation.

Affected Systems

MediaTek chipsets MT2718, MT6899, MT6991, MT8678, MT8793 and devices running Android 15.0 that incorporate the MAE component are affected. All firmware on those platforms must be checked for the presence of the flaw.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1% suggests that the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. Exploitation is only feasible when an attacker already has system privilege on the device, which limits the scope to local or privileged contexts. Consequently, the overall risk remains low, but the flaw can still be used to crash the device for a short interruption of service.

Generated by OpenCVE AI on April 16, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the MediaTek firmware update identified by patch ID ALPS10431940 to all affected devices.
  • If the patch is not feasible immediately, schedule a firmware upgrade as soon as the patched image is available.
  • Validate firmware integrity by checking cryptographic signatures before installation to prevent rollback or tampered images.

Generated by OpenCVE AI on April 16, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Potential Use-After-Free Leading to Local Denial of Service in MediaTek MAE

Tue, 03 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Mediatek
Mediatek mt2718
Mediatek mt6899
Mediatek mt6991
Mediatek mt8678
Mediatek mt8793
CPEs cpe:2.3:h:mediatek:mt2718:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8678:-:*:*:*:*:*:*:*
cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
Vendors & Products Google
Google android
Mediatek
Mediatek mt2718
Mediatek mt6899
Mediatek mt6991
Mediatek mt8678
Mediatek mt8793

Mon, 02 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431940; Issue ID: MSV-5843.
Weaknesses CWE-416
References

Subscriptions

Google Android
Mediatek Mt2718 Mt6899 Mt6991 Mt8678 Mt8793
cve-icon MITRE

Status: PUBLISHED

Assigner: MediaTek

Published:

Updated: 2026-03-30T13:05:43.901Z

Reserved: 2025-11-03T01:30:59.012Z

Link: CVE-2026-20437

cve-icon Vulnrichment

Updated: 2026-03-02T13:53:07.110Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T09:16:16.880

Modified: 2026-03-03T12:48:58.610

Link: CVE-2026-20437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses