CVE-2026-20404 Overview
CVE-2026-20404 is an improper input validation vulnerability in MediaTek modem firmware that can lead to a system crash and remote denial of service. The vulnerability exists in the modem component's input handling routines and can be exploited when a User Equipment (UE) device connects to a rogue base station controlled by an attacker. Exploitation requires no additional execution privileges and no user interaction, making this a significant threat to mobile devices utilizing affected MediaTek chipsets.
Critical Impact
Remote denial of service affecting mobile devices with MediaTek modems when connecting to malicious base stations, potentially disrupting communications for millions of devices worldwide.
Affected Products
- MediaTek NR15, NR16, NR17, NR17R modem firmware
- MediaTek MT67xx series chipsets (MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899)
- MediaTek MT69xx series chipsets (MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993)
- MediaTek MT27xx series modems (MT2735, MT2737)
- MediaTek MT86xx/87xx/88xx tablet and IoT chipsets (MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893)
Discovery Timeline
- February 2, 2026 - CVE-2026-20404 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20404
Vulnerability Analysis
This vulnerability stems from CWE-787 (Out-of-bounds Write), a memory corruption flaw where the modem firmware fails to properly validate input data before processing. When a mobile device connects to a cellular base station, the modem processes various signaling messages and data streams. The vulnerable code path does not adequately verify the boundaries or format of incoming data, allowing a malicious base station to send crafted messages that trigger an out-of-bounds memory write operation.
The exploitation scenario involves an attacker deploying a rogue cellular base station (sometimes called an IMSI catcher or fake cell tower) that appears legitimate to nearby mobile devices. When a device with an affected MediaTek modem connects to this malicious base station, the attacker can transmit specially crafted signaling data that exploits the input validation flaw, causing the modem firmware to crash and resulting in a denial of service condition.
Root Cause
The root cause is improper input validation in the MediaTek modem firmware's message processing routines. Specifically, the modem fails to adequately validate the length, format, or boundaries of data received from base stations before writing to memory buffers. This leads to an out-of-bounds write condition (CWE-787) that corrupts memory and causes a system crash.
The vulnerability is tracked internally by MediaTek under Patch ID MOLY01689248 and Issue ID MSV-4837.
Attack Vector
The attack vector for CVE-2026-20404 involves network-based exploitation through a rogue cellular base station:
- The attacker deploys a malicious base station within radio range of target devices
- The rogue base station broadcasts signals that attract vulnerable devices to connect
- Once a device with an affected MediaTek modem establishes a connection, the attacker sends specially crafted signaling messages
- The malformed input triggers the improper validation flaw in the modem firmware
- An out-of-bounds write occurs, corrupting memory and causing the modem or entire device to crash
- The device experiences a denial of service, potentially requiring a reboot to restore connectivity
This attack requires no user interaction and can be executed against any device within radio range of the malicious base station.
Detection Methods for CVE-2026-20404
Indicators of Compromise
- Unexpected device reboots or modem crashes when in specific geographic locations
- Unusual cellular connection patterns, such as frequent disconnections and reconnections
- Device logs showing modem firmware crashes or kernel panics related to modem subsystem
- Reports of multiple devices in the same area experiencing simultaneous connectivity issues
Detection Strategies
- Monitor device telemetry for patterns of modem-related crashes across device fleets
- Implement cellular network anomaly detection to identify potential rogue base stations
- Review Android system logs for modem subsystem crashes with signatures matching CVE-2026-20404
- Deploy endpoint detection solutions capable of correlating device crashes with network activity
Monitoring Recommendations
- Enable crash reporting and analytics on mobile device management (MDM) platforms
- Monitor for clusters of device crashes that may indicate rogue base station activity in a geographic area
- Implement network monitoring to detect unauthorized cellular infrastructure
- Track firmware versions across device inventory to identify unpatched systems
How to Mitigate CVE-2026-20404
Immediate Actions Required
- Apply the MediaTek security patch MOLY01689248 through device manufacturer OTA updates
- Check with your device manufacturer for availability of the February 2026 security update
- Consider temporarily disabling automatic network selection in high-risk environments
- Maintain physical security awareness in areas where rogue base station deployment is possible
Patch Information
MediaTek has released a security patch addressing this vulnerability as documented in the MediaTek Security Bulletin February 2026. The fix is tracked under Patch ID MOLY01689248. Device manufacturers integrating MediaTek chipsets should obtain the patched modem firmware from MediaTek and distribute it to end users through their standard update channels.
End users should ensure their devices are running the latest available firmware from their device manufacturer that incorporates the February 2026 MediaTek security updates.
Workarounds
- Avoid connecting to unknown or untrusted cellular networks in sensitive environments
- Use manual network selection to prefer known carriers when operating in potentially hostile areas
- Enable airplane mode and rely on WiFi in locations where rogue base station attacks are suspected
- Consider network security solutions that can detect and alert on suspicious cellular infrastructure
# Check Android device modem firmware version (via ADB)
adb shell getprop gsm.version.baseband
# Review modem crash logs on Android
adb logcat -b radio | grep -i "crash\|fatal\|panic"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
