CVE-2025-20788 Overview
CVE-2025-20788 is a memory corruption vulnerability in the MediaTek GPU pdma (peripheral DMA) component. The flaw originates from a missing permission check, classified under [CWE-1262] (Improper Access Control for Register Interface). A local attacker can trigger memory corruption that results in denial of service on affected Android devices running MediaTek chipsets. Exploitation requires user interaction and does not grant additional execution privileges. MediaTek tracks the fix under Patch ID ALPS10117735 and Issue ID MSV-4539.
Critical Impact
Local memory corruption in the GPU pdma component can crash the device or destabilize the kernel, producing a denial-of-service condition on affected MediaTek-based Android handsets.
Affected Products
- Google Android 15.0
- MediaTek MT6991
- MediaTek MT8196
Discovery Timeline
- 2025-12-02 - CVE-2025-20788 published to NVD
- December 2025 - MediaTek publishes Product Security Bulletin with patch ALPS10117735
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-20788
Vulnerability Analysis
The vulnerability lives in the MediaTek GPU pdma driver, which exposes a register or command interface used to manage peripheral DMA operations for the GPU. The driver fails to enforce a required permission check before accepting operations that influence memory. As a result, an unprivileged local context can issue requests that the driver should have rejected. Improperly validated requests reach DMA-related code paths and corrupt kernel-managed memory. The corruption manifests as instability or a kernel fault, leading to local denial of service. Successful exploitation requires user interaction, such as launching or interacting with a malicious application.
Root Cause
The root cause is a missing access control check on the pdma register interface, aligning with [CWE-1262]. The driver assumes the caller is authorized to perform privileged DMA-related actions without verifying that assumption. This category of flaw is common in SoC drivers where hardware register interfaces are exposed to user space through ioctl or shared memory mappings without strict gating.
Attack Vector
The attack vector is local. An attacker delivers a malicious or trojanized application to the device and convinces the user to run it. The application interacts with the GPU pdma interface to issue crafted operations that the driver fails to authorize. The resulting memory corruption crashes the affected process or the kernel, denying service to the user. The flaw does not yield privilege escalation or remote code execution per the vendor advisory.
No public proof-of-concept or exploit has been released. Technical details beyond the vendor advisory are not currently available. See the MediaTek Product Security Bulletin for vendor-provided context.
Detection Methods for CVE-2025-20788
Indicators of Compromise
- Repeated kernel panics, GPU driver faults, or unexpected device reboots referencing the pdma or GPU subsystem in logcat and kernel ring buffer output.
- Newly installed third-party applications that request GPU or graphics-related device node access shortly before stability issues appear.
- Crash dumps in /data/tombstones/ referencing MediaTek GPU driver symbols.
Detection Strategies
- Monitor Android dmesg and logcat output for recurring faults in MediaTek GPU pdma code paths on MT6991 and MT8196 devices.
- Inventory deployed Android devices to identify those running affected MediaTek chipsets and Android 15.0 builds without the December 2025 security patch level.
- Use mobile threat defense telemetry to flag applications interacting with GPU device nodes outside expected behavior.
Monitoring Recommendations
- Track the Android security patch level reported by managed devices and alert on devices missing the December 2025 update.
- Forward mobile device crash and stability telemetry to a centralized data lake for correlation with application installation events.
- Review enterprise app catalogs and sideloaded application inventories on affected hardware models.
How to Mitigate CVE-2025-20788
Immediate Actions Required
- Apply the December 2025 Android security patch level or later on all affected MediaTek MT6991 and MT8196 devices.
- Restrict installation of untrusted applications through mobile device management (MDM) policy until patches are deployed.
- Identify and decommission devices that no longer receive vendor security updates from the manufacturer.
Patch Information
MediaTek has issued a fix tracked as Patch ID ALPS10117735 (Issue ID MSV-4539), distributed through device manufacturers as part of the December 2025 Android security update. Refer to the MediaTek Product Security Bulletin for full patch details and OEM rollout guidance.
Workarounds
- Prevent installation of applications from unknown sources via MDM configuration.
- Educate users to avoid running untrusted applications that request unusual graphics or hardware permissions.
- Where feasible, isolate sensitive workloads from unpatched MediaTek-based devices until vendor updates are delivered.
# Verify Android security patch level on a managed device via ADB
adb shell getprop ro.build.version.security_patch
# Example expected output after applying the December 2025 update
# 2025-12-01
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
