CVE-2026-20438 - Vulnerability Details

- Out‑of‑Bounds Write in MediaTek MAE Enables Local Privilege Escalation

Description

In MAE, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431920; Issue ID: MSV-5835.

Published: 2026-03-02

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the MediaTek MAE component, a race condition can trigger an out‑of‑bounds write. The write can corrupt memory and grant a local attacker additional privileges if the attacker has already obtained system‑level access. No user interaction is required for exploitation.

Affected Systems

The vulnerability affects devices that incorporate several MediaTek chipsets, including MT2718, MT6899, MT6991, MT8168, MT8169, MT8186, MT8188, MT8678, MT8695, MT8696, and MT8793. Android 15 running on these chipsets is also affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1% shows a very low likelihood of public exploitation. The flaw is listed as not being in the CISA KEV catalog. Exploitation requires local presence and pre‑existing system privilege, with no requirement for user interaction. Attackers with system rights could use the race condition to write beyond array bounds and elevate privileges further.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MediaTek, Inc.

MediaTek chipset

unaffected

Version	Status	Constraints
`MT2718`	affected	—
`MT6899`	affected	—
`MT6991`	affected	—
`MT8168`	affected	—
`MT8169`	affected	—
`MT8186`	affected	—
`MT8188`	affected	—
`MT8678`	affected	—
`MT8695`	affected	—
`MT8696`	affected	—
`MT8793`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*

OR	cpe:2.3:h:mediatek:mt2718:-:::::::*
	cpe:2.3:h:mediatek:mt6899:-:::::::*
	cpe:2.3:h:mediatek:mt6991:-:::::::*
	cpe:2.3:h:mediatek:mt8168:-:::::::*
	cpe:2.3:h:mediatek:mt8169:-:::::::*
	cpe:2.3:h:mediatek:mt8186:-:::::::*
	cpe:2.3:h:mediatek:mt8188:-:::::::*
	cpe:2.3:h:mediatek:mt8678:-:::::::*
	cpe:2.3:h:mediatek:mt8695:-:::::::*
	cpe:2.3:h:mediatek:mt8696:-:::::::*
	cpe:2.3:h:mediatek:mt8793:-:::::::*

No data.

Vendor Product Confidence Versions

Mediatek

Mt2718

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt6899

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt6991

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8168

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8169

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8186

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8188

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8678

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8695

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8696

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Mediatek

Mt8793

95%

Version	Status	Scheme	Platform
`Android 15.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the MediaTek firmware update containing patch ALPS10431920 on all affected devices.
If an update cannot be applied immediately, isolate the affected devices from sensitive networks and restrict the use of the MAE feature to reduce exposure.
Monitor system logs for unauthorized privilege escalations and unusual memory handling events to detect exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://corp.mediatek.com/product-security-bulletin/March-2026

History

Thu, 16 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Title		Out‑of‑Bounds Write in MediaTek MAE Enables Local Privilege Escalation

Tue, 03 Mar 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android Mediatek Mediatek mt2718 Mediatek mt6899 Mediatek mt6991 Mediatek mt8168 Mediatek mt8169 Mediatek mt8186 Mediatek mt8188 Mediatek mt8678 Mediatek mt8695 Mediatek mt8696 Mediatek mt8793
CPEs		cpe:2.3:h:mediatek:mt2718:-:::::::* cpe:2.3:h:mediatek:mt6899:-:::::::* cpe:2.3:h:mediatek:mt6991:-:::::::* cpe:2.3:h:mediatek:mt8168:-:::::::* cpe:2.3:h:mediatek:mt8169:-:::::::* cpe:2.3:h:mediatek:mt8186:-:::::::* cpe:2.3:h:mediatek:mt8188:-:::::::* cpe:2.3:h:mediatek:mt8678:-:::::::* cpe:2.3:h:mediatek:mt8695:-:::::::* cpe:2.3:h:mediatek:mt8696:-:::::::* cpe:2.3:h:mediatek:mt8793:-:::::::* cpe:2.3:o:google:android:15.0:::::::*
Vendors & Products		Google Google android Mediatek Mediatek mt2718 Mediatek mt6899 Mediatek mt6991 Mediatek mt8168 Mediatek mt8169 Mediatek mt8186 Mediatek mt8188 Mediatek mt8678 Mediatek mt8695 Mediatek mt8696 Mediatek mt8793

Mon, 02 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
Description		In MAE, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431920; Issue ID: MSV-5835.
Weaknesses		CWE-367
References		https://corp.mediatek.com/product-security-bulletin/March-2026

Subscriptions

Google Android

Mediatek Mt2718 Mt6899 Mt6991 Mt8168 Mt8169 Mt8186 Mt8188 Mt8678 Mt8695 Mt8696 Mt8793

MITRE

Status: PUBLISHED

Assigner: MediaTek

Published: 2026-03-02T08:39:17.978Z

Updated: 2026-03-30T13:05:46.527Z

Reserved: 2025-11-03T01:30:59.012Z

Link: CVE-2026-20438

Vulnrichment

Updated: 2026-03-02T13:31:37.791Z

NVD

Status : Analyzed

Published: 2026-03-02T09:16:17.030

Modified: 2026-03-03T12:48:14.800

Link: CVE-2026-20438

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object