CVE-2026-20422 is a vulnerability categorized under CWE-617 (Reachable Assertion) found in the modem firmware of MediaTek chipsets. The flaw arises from improper input validation within the modem's processing logic, which can trigger an assertion failure leading to a system crash. This vulnerability affects a wide range of MediaTek chipset models, including but not limited to MT2735, MT6853, MT6895, MT6980, MT8678, and MT8893. The attack vector requires the targeted User Equipment (UE) to connect to a maliciously controlled rogue base station. Once connected, the attacker can send crafted inputs that cause the modem to hit the assertion failure, resulting in a denial of service without requiring any user interaction or elevated privileges. The CVSS v3.1 score is 6.5, reflecting a medium severity level, with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). The vulnerability was publicly disclosed on February 2, 2026, with a patch available under ID MOLY00827332. No exploits have been reported in the wild to date, but the broad chipset impact and ease of exploitation make it a significant concern for mobile device security.

The primary impact of CVE-2026-20422 is a remote denial of service condition on devices using affected MediaTek chipsets. This can disrupt mobile device availability, potentially affecting user communications, critical applications, and services relying on cellular connectivity. For organizations, this could translate into operational disruptions, especially for sectors relying on mobile networks for critical communications such as emergency services, logistics, and financial transactions. The vulnerability’s exploitation does not compromise confidentiality or integrity but can degrade service reliability. Since exploitation requires connection to a rogue base station, attackers with the capability to deploy such infrastructure could target specific users or geographic areas, leading to localized service outages. The broad range of affected chipset models indicates a widespread potential impact across many mobile devices globally, including smartphones, IoT devices, and embedded systems using MediaTek components.

Organizations and device manufacturers should immediately apply the patch identified as MOLY00827332 to all affected MediaTek chipset firmware versions. Network operators should monitor for rogue base stations and implement detection mechanisms to identify and mitigate unauthorized cellular infrastructure. Device vendors should update their security advisories and push firmware updates to end users promptly. Enterprises deploying devices with MediaTek chipsets should enforce strict network access controls and consider mobile threat defense solutions that can detect anomalous network behavior indicative of rogue base stations. Additionally, users should be educated to avoid connecting to suspicious or unknown cellular networks when possible. For critical deployments, consider multi-factor communication channels or fallback mechanisms to maintain availability in case of targeted DoS attacks via this vulnerability.