CVE-2023-20726 Overview
CVE-2023-20726 is an information disclosure vulnerability in the MediaTek mnld (MNL daemon) component, which manages GNSS and location services on MediaTek chipsets. The flaw stems from a missing permission check that allows a local, low-privileged application to read GPS location data without holding the required Android location permissions. Exploitation requires no user interaction and no additional execution privileges beyond a local app context. The issue affects a wide range of MediaTek-based Android devices, as well as embedded platforms shipping the MediaTek stack on Yocto, RDK-B, and OpenWrt. MediaTek issued patches tracked as ALPS07735968 and ALPS07884552 in its May 2023 Product Security Bulletin.
Critical Impact
A local app without location permissions can read GPS coordinates from mnld, enabling silent geolocation tracking of the device user.
Affected Products
- MediaTek chipsets including MT6580, MT6739, MT6761–MT6896, MT6980/MT6980D, MT6983, MT6985, MT6990, MT2731/MT2735/MT2737, and the MT8xxx series
- Google Android 11.0, 12.0, and 13.0 builds running the vulnerable MediaTek mnld daemon
- Embedded platforms: Linux Foundation Yocto 2.6 and 3.3, RDK-B 2022q3, OpenWrt 19.07.0 and 21.02.0
Discovery Timeline
- 2023-05-15 - CVE-2023-20726 published to the National Vulnerability Database (NVD)
- May 2023 - MediaTek releases patches ALPS07735968 and ALPS07884552 in the May 2023 Product Security Bulletin
- 2025-01-24 - Last updated in NVD database
Technical Details for CVE-2023-20726
Vulnerability Analysis
The mnld daemon is the MediaTek Modem/Navigation Location daemon that brokers GNSS data between the modem and Android location services. The vulnerability is classified under [CWE-862: Missing Authorization]. A code path in mnld exposes GPS location data to local callers without verifying that the caller holds the ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permission enforced by the Android framework.
Because mnld runs as a system-level service with direct access to GNSS hardware, any application that can communicate with the daemon over its local IPC interface can retrieve coordinates that should be gated by the Android permission model. The result is a confidentiality breach limited to location data, with no impact on integrity or availability.
Root Cause
The root cause is an authorization gap in mnld: the daemon trusts local clients without consulting the Android permission manager before returning location fixes. Patch IDs ALPS07735968 and ALPS07884552 (the latter applying specifically to MT6880, MT6890, MT6980, MT6980D, and MT6990) add the missing permission validation before location data is returned to the caller.
Attack Vector
Exploitation is local. A malicious or curious Android app installed on the device, with no declared location permissions, opens the IPC channel exposed by mnld and issues a request for current location. Because the daemon does not validate the caller's permissions, it responds with live GPS coordinates. No user prompt is displayed, and the activity does not appear in Android's location access indicators tied to the framework permission model. The vulnerability mechanism is described in the MediaTek advisory; no public proof-of-concept code is available.
Detection Methods for CVE-2023-20726
Indicators of Compromise
- Untrusted third-party apps with no declared ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permissions that nonetheless open sockets or binder channels exposed by mnld
- Anomalous IPC traffic to mnld originating from non-system UIDs
- Apps that exfiltrate latitude/longitude values over the network despite having no location permission entitlements in their manifest
Detection Strategies
- Audit Android package manifests on managed fleets for apps that access location-related IPC endpoints without declaring location permissions
- Inspect device logs (logcat, dmesg) for mnld client connections from unexpected UIDs or package names
- Use mobile threat defense or EDR telemetry to flag processes reading from GNSS-related device nodes outside the documented Android Location Services chain
Monitoring Recommendations
- Enroll MediaTek-based Android devices in a mobile device management (MDM) platform and monitor patch level against the May 2023 MediaTek Security Bulletin
- Track installation of sideloaded APKs on corporate devices, as the attack requires local app installation
- Correlate outbound network flows containing geolocation payloads with the originating app's declared permissions
How to Mitigate CVE-2023-20726
Immediate Actions Required
- Apply the MediaTek security patch corresponding to your chipset by updating to a firmware build that includes ALPS07735968 or ALPS07884552 as published in the MediaTek Security Bulletin - May 2023
- Verify the Android security patch level on managed devices and require the May 2023 or later patch level for fleet compliance
- Restrict sideloading of untrusted apps on MediaTek-based devices until patches are deployed
Patch Information
MediaTek addressed the issue with Patch IDs ALPS07735968 and ALPS07884552. The second patch applies specifically to MT6880, MT6890, MT6980, MT6980D, and MT6990. Device OEMs integrate these patches into their Android security maintenance releases. Refer to the MediaTek Security Bulletin - May 2023 for the full chipset and Issue ID matrix.
Workarounds
- Limit app installation to vetted sources such as Google Play and enforce Play Protect on managed devices
- Use Android enterprise work profiles to isolate untrusted applications from sensitive workflows
- Where firmware updates are unavailable, disable or restrict access to applications that do not require GNSS functionality and monitor location-sensitive workflows on alternate devices
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
