CVE-2026-20402 Overview
CVE-2026-20402 is a high-severity vulnerability affecting the modem component in multiple MediaTek chipsets. The vulnerability stems from improper input validation that can cause a system crash, leading to a remote denial of service condition. The attack scenario requires a User Equipment (UE) device to connect to a rogue base station controlled by an attacker. Once connected, the attacker can exploit this vulnerability without requiring any additional execution privileges or user interaction.
This vulnerability affects a wide range of MediaTek mobile and tablet chipsets, including the MT68xx and MT87xx series, which are commonly found in Android smartphones and tablets from various manufacturers. The baseband modem vulnerability is particularly concerning as it operates at a low level in the device's communication stack.
Critical Impact
Remote attackers controlling a rogue cellular base station can crash affected devices, causing complete denial of service without any user interaction required.
Affected Products
- MediaTek NR15 (5G modem software)
- MediaTek MT2735 5G modem
- MediaTek MT6833, MT6853, MT6855, MT6873, MT6875, MT6877 chipsets
- MediaTek MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893 chipsets
- MediaTek MT8675, MT8771, MT8791, MT8791T, MT8797 tablet chipsets
Discovery Timeline
- February 2, 2026 - CVE-2026-20402 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20402
Vulnerability Analysis
This vulnerability is classified under CWE-787 (Out-of-bounds Write), indicating that the modem firmware fails to properly validate input data boundaries before processing cellular network signaling messages. When a device connects to a malicious base station, specially crafted protocol messages can trigger memory corruption in the modem's signal processing routines.
The attack is particularly dangerous because it targets the baseband processor, which handles all cellular communications independently from the main application processor. A crash in the modem component results in complete loss of cellular connectivity and can cause the entire device to become unresponsive or reboot.
The network attack vector means exploitation can occur remotely, though the attacker must operate a rogue base station within radio proximity of the target device. This limits practical exploitation to scenarios involving physical proximity or sophisticated cellular network attacks.
Root Cause
The root cause is improper input validation in the MediaTek modem firmware. When processing cellular protocol messages from connected base stations, the modem component fails to adequately verify the size and format of incoming data before writing it to memory buffers. This allows malformed input to trigger an out-of-bounds write condition, corrupting critical memory structures and causing the modem processor to crash.
The vulnerability is tracked internally by MediaTek as Patch ID: MOLY00693083 and Issue ID: MSV-5928.
Attack Vector
The attack requires the following conditions:
- The attacker operates a rogue cellular base station (4G/5G) within radio range of target devices
- A vulnerable device connects to the malicious base station (either through cell selection or forced handover)
- The attacker sends specially crafted protocol messages that exploit the input validation flaw
- The modem crashes, causing denial of service to the device
The attack does not require any privileges on the target device and needs no user interaction, making it a low-complexity attack once the rogue infrastructure is in place. The vulnerability affects availability only—there is no impact to confidentiality or integrity of data.
Detection Methods for CVE-2026-20402
Indicators of Compromise
- Unexpected device reboots or modem crashes without apparent cause
- Loss of cellular connectivity followed by automatic recovery attempts
- Devices connecting to unknown or suspicious cell towers with unusual signal characteristics
- Repeated baseband firmware crash logs in device diagnostics
Detection Strategies
- Monitor for unusual cellular network behavior patterns across device fleets
- Implement network monitoring to detect rogue base stations in proximity to sensitive locations
- Review device crash reports and modem diagnostic logs for signs of exploitation attempts
- Deploy cellular security solutions that can validate base station authenticity
Monitoring Recommendations
- Enable logging on Mobile Device Management (MDM) solutions to track device stability metrics
- Configure alerts for repeated modem crashes across managed device populations
- Monitor for devices experiencing connectivity issues in specific geographic areas
- Implement cellular intrusion detection systems where high-security environments require protection
How to Mitigate CVE-2026-20402
Immediate Actions Required
- Apply firmware updates from device manufacturers that include MediaTek's patch MOLY00693083
- Contact device OEMs to confirm patched firmware availability for affected chipsets
- Prioritize updates for devices used in sensitive or high-risk environments
- Consider temporary deployment of cellular signal monitoring in critical facilities
Patch Information
MediaTek has released security patches addressing this vulnerability as part of their February 2026 security bulletin. The patch is identified as MOLY00693083. Device manufacturers (OEMs) must integrate this modem firmware update into their device-specific security updates before end users can apply the fix.
Organizations should review the MediaTek Security Bulletin February 2026 for complete details and coordinate with their device vendors for patch availability timelines.
Workarounds
- Avoid connecting to unknown or untrusted cellular networks when possible
- Use WiFi connectivity as an alternative in controlled environments until patches are applied
- Deploy enterprise mobility solutions that can restrict which networks devices connect to
- In extremely sensitive environments, consider temporary use of Faraday shielding or cellular signal blocking until patched devices are available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
