CVE-2026-20433: CWE-787 Out-of-bounds Write in MediaTek, Inc. MediaTek chipset
CVE-2026-20433 is a high-severity vulnerability in MediaTek chipsets involving an out-of-bounds write in the modem component due to a missing bounds check. Exploitation requires a user device to connect to a rogue base station controlled by an attacker, with no additional execution privileges needed. User interaction is necessary for exploitation. The vulnerability affects a wide range of MediaTek chipset models. No official patch or remediation level has been confirmed yet.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-20433) is an out-of-bounds write (CWE-787) in the modem of MediaTek chipsets caused by a missing bounds check. It allows remote escalation of privilege when a user equipment (UE) connects to a malicious base station. The attacker does not require additional execution privileges to exploit this issue, but user interaction is required. The vulnerability impacts numerous MediaTek chipset versions. The CVSS v3.1 score is 8.8, indicating high severity with attack vector being adjacent network, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. As of the published date, no patch or official remediation has been confirmed.
Potential Impact
Successful exploitation can lead to remote escalation of privilege on affected MediaTek chipsets, potentially compromising confidentiality, integrity, and availability of the device. The attacker must control a rogue base station and the user device must connect to it. No additional execution privileges are needed by the attacker, increasing the risk. However, user interaction is required for exploitation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users and administrators should monitor MediaTek advisories for updates. Avoid connecting to untrusted or suspicious base stations to reduce exposure. No additional mitigation instructions are available from the vendor at this time.
CVE-2026-20433: CWE-787 Out-of-bounds Write in MediaTek, Inc. MediaTek chipset
Description
CVE-2026-20433 is a high-severity vulnerability in MediaTek chipsets involving an out-of-bounds write in the modem component due to a missing bounds check. Exploitation requires a user device to connect to a rogue base station controlled by an attacker, with no additional execution privileges needed. User interaction is necessary for exploitation. The vulnerability affects a wide range of MediaTek chipset models. No official patch or remediation level has been confirmed yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-20433) is an out-of-bounds write (CWE-787) in the modem of MediaTek chipsets caused by a missing bounds check. It allows remote escalation of privilege when a user equipment (UE) connects to a malicious base station. The attacker does not require additional execution privileges to exploit this issue, but user interaction is required. The vulnerability impacts numerous MediaTek chipset versions. The CVSS v3.1 score is 8.8, indicating high severity with attack vector being adjacent network, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. As of the published date, no patch or official remediation has been confirmed.
Potential Impact
Successful exploitation can lead to remote escalation of privilege on affected MediaTek chipsets, potentially compromising confidentiality, integrity, and availability of the device. The attacker must control a rogue base station and the user device must connect to it. No additional execution privileges are needed by the attacker, increasing the risk. However, user interaction is required for exploitation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users and administrators should monitor MediaTek advisories for updates. Avoid connecting to untrusted or suspicious base stations to reduce exposure. No additional mitigation instructions are available from the vendor at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- MediaTek
- Date Reserved
- 2025-11-03T01:30:59.011Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d47ddc0a160ebd9234c834
Added to database: 4/7/2026, 3:45:32 AM
Last enriched: 4/14/2026, 3:52:04 PM
Last updated: 5/22/2026, 7:19:46 PM
Views: 93
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.