CVE-2023-20726 Overview
CVE-2023-20726 is a missing permission check vulnerability in the MediaTek mnld (MediaTek Network Location Daemon) component that enables unauthorized access to GPS location data. The flaw allows a local attacker with basic privileges to retrieve sensitive location information without requiring proper permissions, constituting an information disclosure vulnerability that could compromise user privacy.
Critical Impact
Local attackers can access GPS location data without proper authorization, potentially enabling stalking, surveillance, or privacy violations on affected Android devices and embedded systems.
Affected Products
- Google Android 11.0, 12.0, 13.0
- MediaTek chipsets: MT6580, MT6739, MT6761, MT6762, MT6765, MT6767, MT6768, MT6769, MT6771, MT6779, MT6781, MT6783, MT6785, MT6789, MT6833, MT6853, MT6855, MT6873, MT6877, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6980, MT6980D, MT6983, MT6985, MT6990
- MediaTek tablet chipsets: MT8167, MT8168, MT8173, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797
- MediaTek modem components: MT2731, MT2735, MT2737
- Linux Foundation Yocto 2.6, 3.3
- OpenWrt 19.07.0, 21.02.0
- RDKcentral RDKB 2022Q3
Discovery Timeline
- May 15, 2023 - CVE-2023-20726 published to NVD
- January 24, 2025 - Last updated in NVD database
Technical Details for CVE-2023-20726
Vulnerability Analysis
The vulnerability exists in the mnld component, which is MediaTek's daemon responsible for managing GPS and network location services on affected chipsets. The core issue is the absence of a proper permission check before granting access to GPS location data. This authorization bypass (CWE-862: Missing Authorization) allows any local application or process to query and receive location coordinates without holding the required location permissions that Android normally enforces.
The impact extends across a wide range of MediaTek mobile and tablet System-on-Chip (SoC) platforms spanning multiple generations, from entry-level MT6580 to flagship MT6990 chipsets. This broad scope means millions of devices across various manufacturers using these MediaTek processors could be vulnerable.
Root Cause
The root cause is a missing authorization check in the mnld daemon's handling of location data requests. The daemon fails to validate whether the calling process or application has been granted the appropriate location permissions (such as ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION on Android) before returning GPS coordinate data. This oversight in the access control logic allows unauthorized callers to bypass the operating system's permission model.
Attack Vector
The attack requires local access to the device, meaning an attacker needs to have a malicious application installed or code execution on the target device. Once present, the attacker can exploit the vulnerability to:
- Query the mnld daemon directly through its exposed interfaces
- Receive GPS location data without triggering permission prompts to the user
- Track the device's location silently over time without the user's knowledge
The vulnerability does not require user interaction and no additional execution privileges beyond basic local access are needed, making it particularly concerning for privacy-conscious users who may believe their location data is protected by Android's permission system.
Detection Methods for CVE-2023-20726
Indicators of Compromise
- Unusual IPC (Inter-Process Communication) activity involving the mnld daemon from applications without location permissions
- Applications accessing location services that don't have location permissions declared in their manifest
- Suspicious processes querying /dev/gps or related GPS hardware interfaces
- Log entries showing location data access from unauthorized package UIDs
Detection Strategies
- Monitor for applications accessing location APIs or mnld daemon interfaces without proper permission grants in the Android permission manager
- Implement runtime detection for anomalous location data access patterns using mobile endpoint protection solutions
- Review installed applications for those requesting minimal permissions but exhibiting location-aware behavior
- Audit system logs for mnld daemon access from unexpected process contexts
Monitoring Recommendations
- Deploy SentinelOne Mobile Threat Defense to detect applications attempting to exploit permission bypass vulnerabilities
- Enable verbose logging for location services and monitor for unauthorized access attempts
- Implement network-level monitoring for applications transmitting location data that shouldn't have access to it
- Regularly audit device applications and their granted permissions against their declared requirements
How to Mitigate CVE-2023-20726
Immediate Actions Required
- Apply the MediaTek security patches identified as ALPS07735968 and ALPS07884552 through device manufacturer OTA updates
- Check device firmware version against MediaTek's May 2023 Security Bulletin to verify patch status
- Remove or disable untrusted applications that could potentially exploit this vulnerability
- For enterprise environments, enforce device compliance policies requiring minimum firmware versions that include the fix
Patch Information
MediaTek has released patches under Patch ID: ALPS07735968 / ALPS07884552. Note that for MT6880, MT6890, MT6980, MT6980D, and MT6990 chipsets, a specific patch variant applies. Organizations should consult the MediaTek Security Bulletin for May 2023 for detailed patch information. End users should contact their device manufacturer or carrier for firmware updates that incorporate these fixes.
Workarounds
- Limit installation of applications to trusted sources (Google Play Store with Play Protect enabled)
- Review and revoke unnecessary permissions from existing applications, particularly those that shouldn't require location access
- Consider disabling GPS/location services when not actively needed to reduce exposure
- Enterprise users should implement Mobile Device Management (MDM) policies to restrict application installation and enforce security baselines
# Check device security patch level on Android
adb shell getprop ro.build.version.security_patch
# Verify if device is running Android 11, 12, or 13 (affected versions)
adb shell getprop ro.build.version.release
# List applications with location permissions for audit
adb shell pm list permissions -g | grep location
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
