CVE-2026-20403 Overview
CVE-2026-20403 is a critical Out-of-Bounds Write vulnerability (CWE-787) affecting MediaTek modem firmware across a wide range of chipsets. The vulnerability exists in the modem component where a missing bounds check can lead to a system crash when a User Equipment (UE) connects to a rogue base station controlled by an attacker. This remote denial of service attack requires no additional execution privileges and no user interaction for exploitation.
Critical Impact
Remote attackers operating a rogue base station can crash affected devices without any user interaction, potentially disrupting critical mobile communications across millions of devices using MediaTek chipsets.
Affected Products
- MediaTek NR15, NR16, NR17, and NR17R modem firmware
- MediaTek MT67xx series chipsets (MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899)
- MediaTek MT69xx series chipsets (MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993)
- MediaTek MT27xx series chipsets (MT2735, MT2737)
- MediaTek MT87xx series chipsets (MT8673, MT8675, MT8676, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893)
Discovery Timeline
- 2026-02-02 - CVE-2026-20403 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-20403
Vulnerability Analysis
This vulnerability stems from a missing bounds check in the MediaTek modem firmware, specifically within the baseband processing code. When the modem processes signaling messages from a cellular base station, the absence of proper input validation allows an attacker-controlled rogue base station to send specially crafted messages that trigger an out-of-bounds memory write operation.
The attack scenario involves setting up a malicious cellular base station that broadcasts signals mimicking legitimate cell towers. When a vulnerable device connects to this rogue station—which can occur automatically as phones constantly search for the strongest signal—the attacker can send malformed data that exceeds expected buffer boundaries, causing memory corruption and subsequent system crash.
This vulnerability is particularly concerning because it targets the baseband processor, which operates at a lower level than the main application processor and often has direct access to sensitive radio communications. The impact is limited to denial of service (availability), with no evidence of data exfiltration or code execution capabilities.
Root Cause
The root cause is a missing bounds check (CWE-787: Out-of-bounds Write) in the modem firmware's message processing routines. When handling certain protocol messages from a base station, the code fails to validate that input data fits within allocated buffer sizes before writing to memory. This allows an attacker to cause writes beyond the intended memory boundaries, corrupting critical data structures and leading to system instability.
Attack Vector
The attack vector is network-based, specifically through the cellular radio interface. An attacker must establish a rogue base station within radio range of target devices. When a vulnerable device's modem attempts to communicate with what it perceives as a legitimate cell tower, the attacker can inject malicious protocol messages that exploit the missing bounds check.
The attack requires physical proximity to establish the rogue base station within effective range but requires no privileges on the target device and no user interaction. Devices automatically connect to base stations as part of normal cellular operation, making this attack vector particularly stealthy and effective in crowded areas where targets may be unaware they've connected to a malicious station.
Detection Methods for CVE-2026-20403
Indicators of Compromise
- Unexpected device reboots or crashes, particularly when in areas with previously reliable cellular coverage
- Modem subsystem crash logs referencing memory access violations or segmentation faults
- Unusual cellular network behavior including repeated connection attempts to unknown base stations
- System logs showing baseband processor failures coinciding with location changes
Detection Strategies
- Monitor device crash reports for patterns indicating modem firmware failures across device fleets
- Implement network anomaly detection to identify rogue base station characteristics such as unusual signal strength patterns or non-standard protocol behavior
- Deploy cellular signal analysis tools in sensitive locations to detect unauthorized base stations
- Enable verbose modem logging where available to capture protocol-level diagnostics
Monitoring Recommendations
- Aggregate and analyze crash telemetry from mobile device fleets to identify exploitation patterns
- Establish baseline cellular behavior metrics to detect anomalies indicative of rogue base station presence
- Coordinate with mobile carriers to leverage their network monitoring capabilities for detecting unauthorized infrastructure
How to Mitigate CVE-2026-20403
Immediate Actions Required
- Apply the MediaTek security patches referenced by Patch IDs MOLY01689254 (for NR15 and NR16) and MOLY01689259 (for NR17 and NR17R) through OEM firmware updates
- Check with device manufacturers for availability of firmware updates addressing Issue ID MSV-4843
- Prioritize patching devices used in high-security environments or those likely to be targeted
- Consider limiting cellular connectivity on critical devices until patches are deployed
Patch Information
MediaTek has released patches addressing this vulnerability as documented in the MediaTek Security Bulletin February 2026. The patches add proper bounds checking to the affected modem code paths:
- Patch ID MOLY01689254: Addresses the vulnerability in NR15 and NR16 modem firmware
- Patch ID MOLY01689259: Addresses the vulnerability in NR17 and NR17R modem firmware
Device manufacturers using affected MediaTek chipsets should integrate these patches into their firmware and distribute updates to end users. End users should apply all available system and security updates from their device manufacturer.
Workarounds
- Enable airplane mode when in potentially hostile RF environments where rogue base stations may be present
- Use Wi-Fi calling as an alternative to cellular connectivity where feasible
- Avoid automatic network selection and manually select trusted carriers where supported by the device
- In high-security scenarios, consider using Faraday bags or RF-shielded environments to prevent unintended cellular connections until patches are applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
