CVE-2025-20797 is a stack overflow vulnerability classified under CWE-121, discovered in the battery management component of multiple MediaTek chipsets, including MT2718, MT6765, MT6768, MT6781, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6893, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8367, MT8391, MT8676, MT8678, MT8696, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, and MT8893. These chipsets are integrated into devices running Android versions 14.0 through 16.0. The vulnerability stems from a missing bounds check during battery-related operations, which allows an out-of-bounds write on the stack. This flaw can be exploited by an attacker who has already obtained System-level privileges on the device, enabling local escalation of privileges without requiring any user interaction. The vulnerability impacts the confidentiality, integrity, and availability of the system by potentially allowing arbitrary code execution or system control escalation. The CVSS v3.1 score of 7.8 reflects the high severity, with an attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits are currently known in the wild, the broad range of affected chipsets and Android versions makes this a significant threat. The patch identifier ALPS10315812 and issue ID MSV-5534 are noted, but no direct patch links are provided. The vulnerability was reserved in November 2024 and published in January 2026.

The vulnerability allows an attacker with System privileges to perform a stack overflow via an out-of-bounds write in the battery component, leading to local privilege escalation. This can compromise device confidentiality by exposing sensitive data, integrity by enabling unauthorized code execution or modification of system components, and availability by potentially causing system crashes or denial of service. Since the attack requires local access and System privileges, it primarily threatens environments where attackers have already breached initial defenses or have insider access. However, given the widespread deployment of MediaTek chipsets in consumer and enterprise Android devices, the vulnerability poses a significant risk to millions of devices worldwide. Exploitation could facilitate persistent malware installation, bypass of security controls, or further lateral movement within networks. The absence of required user interaction increases the risk of automated or stealthy exploitation once initial access is gained.

Organizations and device manufacturers should prioritize applying the official patch ALPS10315812 as soon as it becomes available to remediate the missing bounds check. Until patches are deployed, enforcing strict privilege separation and minimizing the number of processes or users with System-level privileges can reduce exploitation risk. Employ runtime protections such as stack canaries, address space layout randomization (ASLR), and control-flow integrity (CFI) to mitigate exploitation of stack overflows. Regularly audit and monitor devices for unusual local privilege escalation attempts or anomalous battery component behavior. For enterprise environments, restrict physical and local access to devices, and implement endpoint detection and response (EDR) solutions capable of detecting exploitation attempts. Device manufacturers should also review and harden battery management code to prevent similar vulnerabilities. Finally, maintain up-to-date inventories of affected devices to ensure timely patch management.