CVE-2026-20401 Overview
CVE-2026-20401 is a denial of service vulnerability affecting the modem component in multiple MediaTek chipsets. The vulnerability stems from an uncaught exception in the modem firmware that can be triggered when a User Equipment (UE) connects to a rogue base station controlled by an attacker. This allows for remote denial of service attacks that can cause complete system crashes without requiring any user interaction or additional execution privileges.
Critical Impact
Remote attackers operating rogue cellular base stations can cause complete system crashes on affected devices, disrupting critical communications and potentially impacting device availability in safety-critical scenarios.
Affected Products
- MediaTek NR15 5G Modem
- MediaTek MT2735 LTE Modem
- MediaTek MT6833 (Dimensity 700)
- MediaTek MT6853 (Dimensity 720)
- MediaTek MT6855 (Dimensity 930)
- MediaTek MT6873 (Dimensity 800)
- MediaTek MT6875 (Dimensity 820)
- MediaTek MT6877 (Dimensity 900)
- MediaTek MT6880 (Dimensity 1000)
- MediaTek MT6883 (Dimensity 1000C)
- MediaTek MT6885 (Dimensity 1000+)
- MediaTek MT6889 (Dimensity 1000+)
- MediaTek MT6890 (Dimensity 1200)
- MediaTek MT6891 (Dimensity 1100)
- MediaTek MT6893 (Dimensity 1200)
- MediaTek MT8675/MT8771/MT8791/MT8791T/MT8797 Tablet Chipsets
Discovery Timeline
- February 2, 2026 - CVE-2026-20401 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20401
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion) and CWE-754 (Improper Check for Unusual or Exceptional Conditions). The modem firmware fails to properly handle exceptional conditions that can occur during cellular network communication protocols. When the modem receives malformed or unexpected signaling from a rogue base station, the firmware encounters an uncaught exception that propagates through the system, ultimately causing a crash.
The attack surface is particularly concerning because it exploits the inherent trust relationship between mobile devices and cellular infrastructure. Affected devices will automatically attempt to connect to the strongest available signal, making them susceptible to attackers operating fake base stations (also known as IMSI catchers or Stingrays) in proximity to potential targets.
Root Cause
The root cause lies in inadequate exception handling within the MediaTek modem firmware's signaling protocol processing code. The firmware does not properly validate and handle malformed or unexpected network messages, allowing certain edge cases to trigger unhandled exceptions. This represents a failure to implement defensive programming practices that would gracefully handle unexpected input conditions rather than crashing the entire system.
Attack Vector
The attack requires the adversary to operate a rogue base station within radio range of the target device. When a device running vulnerable MediaTek modem firmware connects to this malicious base station, the attacker can send specially crafted network signaling messages designed to trigger the uncaught exception. The attack does not require any user interaction, as devices automatically connect to cellular networks, and no additional privileges are needed beyond control of the fake base station.
The network-based attack vector with low complexity makes this vulnerability particularly dangerous in targeted attack scenarios where an adversary has physical proximity to potential victims. Critical infrastructure, government facilities, and high-value corporate environments are particularly at risk from such attacks.
Detection Methods for CVE-2026-20401
Indicators of Compromise
- Unexpected device reboots or system crashes occurring in specific geographic locations
- Multiple devices in the same area experiencing simultaneous connectivity issues or crashes
- Modem crash logs indicating uncaught exceptions in cellular signaling handlers
- Unusual cellular network behavior patterns detected by RF monitoring equipment
Detection Strategies
- Monitor device crash reports for modem-related exceptions, particularly those associated with Patch ID MOLY01738310 or Issue ID MSV-5933
- Implement cellular anomaly detection systems to identify rogue base stations in sensitive areas
- Deploy enterprise mobile device management (MDM) solutions that can aggregate and correlate device crash events across fleets
- Utilize RF spectrum analysis tools to detect unauthorized cellular infrastructure
Monitoring Recommendations
- Establish baseline crash rates for mobile device fleets and alert on statistical anomalies
- Implement centralized logging for modem crash events across managed devices
- Monitor cellular signal strength patterns for sudden changes that might indicate rogue base station presence
- Enable vendor-specific diagnostic logging on MediaTek-based devices where available
How to Mitigate CVE-2026-20401
Immediate Actions Required
- Check affected device inventory for MediaTek chipsets listed in the advisory
- Apply firmware updates from device manufacturers that incorporate MediaTek's patch MOLY01738310
- Prioritize patching for devices used in high-security or critical infrastructure environments
- Consider restricting device usage in areas where rogue base station attacks are suspected
Patch Information
MediaTek has released a security patch addressing this vulnerability under Patch ID MOLY01738310 and Issue ID MSV-5933. The fix is documented in the MediaTek Security Bulletin February 2026. Device manufacturers (OEMs) are responsible for integrating this patch into their firmware updates and distributing them to end users through standard update channels.
Organizations should coordinate with their device vendors to confirm availability of patched firmware and establish deployment timelines. Enterprise customers may need to work with MDM solutions to expedite update distribution across managed device fleets.
Workarounds
- Where operationally feasible, avoid using affected devices in environments where rogue base station attacks are a concern
- Enable airplane mode when devices are not actively needed for cellular communication in high-risk scenarios
- Utilize Wi-Fi calling as an alternative to direct cellular connectivity when available and secure
- Implement physical security measures to detect and prevent deployment of unauthorized cellular equipment in sensitive facilities
# Configuration example - Device inventory check for affected MediaTek chipsets
# Query MDM for devices with affected processors
adb shell getprop ro.hardware
# Expected output may include: mt6833, mt6873, mt6885, etc.
# Check modem firmware version for patch status
adb shell getprop gsm.version.baseband
# Verify version includes MOLY01738310 patch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
