CVE-2025-61616 Overview
CVE-2025-61616 is an improper input validation vulnerability [CWE-20] in the 5G New Radio (NR) modem firmware used in Unisoc chipsets. The flaw allows a remote attacker to trigger a system crash, resulting in a denial of service condition. Exploitation requires no authentication, no user interaction, and no elevated privileges.
The vulnerability affects Android devices running on Unisoc T8100, T8200, T8300, and T9100 platforms across Android versions 13.0 through 16.0. The affected modem component processes malformed network input without proper validation, leading to a crash of the cellular baseband.
Critical Impact
Remote attackers can crash the cellular modem on affected Android devices over the air, disrupting voice and data connectivity without requiring any user interaction.
Affected Products
- Google Android 13.0, 14.0, 15.0, and 16.0
- Unisoc T8100 and T8200 chipsets
- Unisoc T8300 and T9100 chipsets
Discovery Timeline
- 2026-03-09 - CVE-2025-61616 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2025-61616
Vulnerability Analysis
The vulnerability resides in the 5G NR modem stack of Unisoc baseband firmware. The modem fails to properly validate input fields received over the cellular air interface. When a malformed message reaches the affected processing routine, the resulting parsing error crashes the modem subsystem.
The crash terminates cellular connectivity on the affected device. Because the modem operates as a discrete processor with its own firmware, the crash impacts radio communication rather than the Android application processor. The result is loss of voice, SMS, and mobile data service until the modem restarts.
The issue is tracked under CWE-20 (Improper Input Validation) by NVD. No information disclosure or code execution has been reported. The impact is limited to availability of the cellular interface.
Root Cause
The root cause is missing or insufficient input validation in the NR modem's message handling logic. Unisoc has not publicly released the specific function or message type affected. The flaw permits attacker-controlled input to reach code paths that assume well-formed structures.
Attack Vector
Attackers exploit the vulnerability over the network attack surface exposed by the cellular radio. A rogue base station or proximate radio transmitter can deliver crafted 5G NR signaling messages to a target device. The attack does not require pairing with a legitimate network operator.
No authentication is needed because the affected parsing occurs before mutual authentication completes in some signaling flows. User interaction is not required, as the modem processes radio messages automatically. The vulnerability mechanism is described in the Unisoc Security Announcement.
Detection Methods for CVE-2025-61616
Indicators of Compromise
- Unexpected cellular modem restarts or repeated loss of mobile signal on Unisoc-based Android devices.
- Modem crash logs or ramdump artifacts in device diagnostic logs referencing the NR protocol stack.
- Reports of localized loss of cellular service correlating with the presence of unauthorized radio equipment.
Detection Strategies
- Monitor mobile device management (MDM) telemetry for elevated rates of radio resets across fleets of Unisoc-based handsets.
- Inspect Android logcat and vendor-specific modem logs for crash signatures in NR signaling components.
- Use radio frequency monitoring to detect rogue or unauthorized cellular base stations in sensitive locations.
Monitoring Recommendations
- Track device-side cellular availability metrics and correlate outages across geographically proximate devices.
- Aggregate modem crash reports through Android vendor telemetry channels for trend analysis.
- Alert on repeated cellular radio service restarts on managed devices within short time windows.
How to Mitigate CVE-2025-61616
Immediate Actions Required
- Apply the Unisoc-provided firmware update through the device OEM's Android security patch channel as soon as it is available.
- Inventory all managed Android devices using Unisoc T8100, T8200, T8300, or T9100 chipsets and prioritize their patching.
- For high-risk users in sensitive environments, restrict use of affected devices until patches are deployed.
Patch Information
Unisoc has published a security announcement describing the issue and remediation. Device manufacturers integrate the fix into Android security patch levels distributed through their update channels. Refer to the Unisoc Security Announcement for the authoritative remediation guidance.
Workarounds
- Disable 5G NR connectivity on affected devices and operate in LTE-only mode where feasible to reduce exposure to the vulnerable code path.
- Enable airplane mode in environments where rogue radio activity is suspected.
- Limit use of affected devices in untrusted radio environments until firmware updates are installed.
# Configuration example: set preferred network type to LTE-only via ADB on test devices
adb shell settings put global preferred_network_mode 9
adb shell svc data disable
adb shell svc data enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
