CVE-2026-20405 Overview
CVE-2026-20405 is a denial of service vulnerability affecting the modem component in numerous MediaTek chipsets. The vulnerability stems from a missing bounds check in the modem firmware, which can cause a system crash when a User Equipment (UE) device connects to a rogue base station controlled by an attacker. This vulnerability requires no user interaction and no additional execution privileges to exploit, making it particularly concerning for mobile device security.
Critical Impact
Remote denial of service attack possible through rogue base stations affecting a wide range of MediaTek-powered devices including smartphones, tablets, and IoT devices.
Affected Products
- MediaTek NR15, NR16, NR17, NR17R (Modem Software)
- MediaTek MT67xx Series (MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993)
- MediaTek MT27xx Series (MT2735, MT2737)
- MediaTek MT86xx/MT87xx Series (MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893)
Discovery Timeline
- February 2, 2026 - CVE-2026-20405 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20405
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the modem firmware contains an assertion or boundary condition that can be triggered through external input, causing an unrecoverable crash. The vulnerability exists in the baseband modem processing layer, where incoming cellular network signaling data is parsed without adequate bounds checking.
When a device connects to a malicious base station (such as an IMSI catcher or fake cell tower), the attacker can send specially crafted signaling messages that trigger the missing bounds check, resulting in an immediate system crash. The attack is particularly dangerous because it operates at the modem level, below the operating system, and can affect the device even when security software is running.
Root Cause
The root cause of CVE-2026-20405 is a missing bounds check in the modem firmware's signal processing routines. The modem firmware fails to validate the size or content of certain parameters received from base station communications, allowing out-of-bounds data to trigger an assertion failure or memory access violation. This type of vulnerability typically occurs when developers assume that data from cellular infrastructure is trustworthy, without considering adversarial scenarios involving rogue base stations.
Attack Vector
The attack requires the adversary to operate a rogue base station within radio range of the target device. When a vulnerable device scans for and connects to this malicious cell tower (either through signal strength preference or forced association techniques), the attacker can deliver malformed signaling messages to the modem. The attack is entirely network-based, requires no privileges on the target device, and needs no user interaction. The victim device will experience an immediate crash and potential reboot loop if it reconnects to the same rogue station.
The attack scenario involves:
- Attacker deploys a rogue base station broadcasting a strong cellular signal
- Target device with vulnerable MediaTek modem connects to the rogue station
- Attacker sends malformed modem signaling data that bypasses bounds checking
- Device modem crashes, causing system-wide denial of service
- Device may enter a reboot loop if it automatically reconnects to the rogue station
Detection Methods for CVE-2026-20405
Indicators of Compromise
- Unexpected device reboots or crashes, particularly in specific geographic locations
- Modem crash logs showing assertion failures or memory violations in baseband firmware
- Unusual cellular network behavior such as frequent re-registration or connection drops
- Multiple devices in the same area experiencing simultaneous crashes
Detection Strategies
- Monitor device crash reports for patterns indicating modem-level failures with crash signatures matching MOLY01688495 or related identifiers
- Implement network monitoring to detect suspicious base station activity or signal anomalies in enterprise environments
- Deploy cellular network monitoring solutions capable of identifying rogue base stations or IMSI catchers
- Analyze Android system logs for modem subsystem crashes using dmesg or vendor-specific diagnostic tools
Monitoring Recommendations
- Establish baseline crash reporting for MediaTek-powered devices to identify anomalous crash patterns
- Configure enterprise mobile device management (MDM) solutions to alert on unusual device reboot frequencies
- Monitor for location-correlated device failures that may indicate localized rogue base station activity
- Implement network-based detection for fake base stations in high-security environments
How to Mitigate CVE-2026-20405
Immediate Actions Required
- Apply firmware updates from device manufacturers as they become available through the February 2026 security bulletin
- For high-security environments, consider restricting device movement to areas with verified cellular infrastructure
- Enable airplane mode or disable cellular connectivity on affected devices in high-risk situations until patches are applied
- Contact device OEMs to confirm patch availability for specific device models
Patch Information
MediaTek has released a patch identified as MOLY01688495 (Issue ID: MSV-4818) addressing this vulnerability. The fix is documented in the MediaTek Security Bulletin February 2026. Device manufacturers using affected MediaTek chipsets must integrate this patch into their firmware updates. End users should apply security updates from their device manufacturers as soon as they become available.
Workarounds
- Disable cellular connectivity and use Wi-Fi only in environments where rogue base station attacks are a concern
- Use devices with modem isolation capabilities that can contain crashes without affecting the main system
- In enterprise environments, deploy cellular signal detection equipment to identify potential rogue base stations
- Consider using devices with alternative chipsets for sensitive operations until patches are deployed
# Check for MediaTek modem firmware version on Android devices
adb shell "cat /proc/mtk_modem_version"
# Or check system properties for modem information
adb shell "getprop | grep modem"
# Review crash logs for modem-related failures
adb shell "dmesg | grep -i modem"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
